Commit 24541454 authored by Kerri Miller's avatar Kerri Miller

Merge branch 'jnnkl-remove-standalone-vuln-dependency-list-feature-flag' into 'master'

Remove standalone_vuln_dependency_list Feature Flag [RUN ALL RSPEC] [RUN AS-IF-FOSS]

See merge request gitlab-org/gitlab!59124
parents 4f3cd654 18f78a35
...@@ -26,7 +26,7 @@ To view your project's dependencies, ensure you meet the following requirements: ...@@ -26,7 +26,7 @@ To view your project's dependencies, ensure you meet the following requirements:
## View a project's dependencies ## View a project's dependencies
![Dependency list](img/dependency_list_v12_10.png) ![Dependency list](img/dependency_list_v13_11.png)
GitLab displays dependencies with the following information: GitLab displays dependencies with the following information:
...@@ -44,7 +44,8 @@ can also be sorted by name or by the packager that installed them. ...@@ -44,7 +44,8 @@ can also be sorted by name or by the packager that installed them.
If a dependency has known vulnerabilities, view them by clicking the arrow next to the If a dependency has known vulnerabilities, view them by clicking the arrow next to the
dependency's name or the badge that indicates how many known vulnerabilities exist. For each dependency's name or the badge that indicates how many known vulnerabilities exist. For each
vulnerability, its severity and description appears below it. vulnerability, its severity and description appears below it. To view more details of a vulnerability,
select the vulnerability’s description. The [vulnerability's details](../vulnerabilities) page is opened.
### Dependency paths ### Dependency paths
......
...@@ -24,11 +24,6 @@ export default { ...@@ -24,11 +24,6 @@ export default {
<div class="w-8em flex-shrink-0 text-right mr-3"> <div class="w-8em flex-shrink-0 text-right mr-3">
<severity-badge :severity="vulnerability.severity" /> <severity-badge :severity="vulnerability.severity" />
</div> </div>
<gl-link <gl-link :href="vulnerability.url">{{ vulnerability.name }}</gl-link>
v-if="glFeatures.standaloneVulnDependencyList && vulnerability.url"
:href="vulnerability.url"
>{{ vulnerability.name }}</gl-link
>
<span v-else data-testid="vulnerability-name-text">{{ vulnerability.name }}</span>
</div> </div>
</template> </template>
...@@ -6,10 +6,6 @@ module Projects ...@@ -6,10 +6,6 @@ module Projects
before_action :authorize_read_dependency_list! before_action :authorize_read_dependency_list!
before_action do
push_frontend_feature_flag(:standalone_vuln_dependency_list, project)
end
feature_category :dependency_scanning feature_category :dependency_scanning
def index def index
......
---
title: Remove standalone_vuln_dependency_list Feature Flag
merge_request: 59124
author:
type: changed
---
name: standalone_vuln_dependency_list
introduced_by_url: https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/55641
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/324031
milestone: '13.10'
type: development
group: group::composition analysis
default_enabled: false
...@@ -26,7 +26,6 @@ module Gitlab ...@@ -26,7 +26,6 @@ module Gitlab
end end
def parse_vulnerabilities(report_data, report) def parse_vulnerabilities(report_data, report)
if Feature.enabled?(:standalone_vuln_dependency_list, project)
vuln_findings = pipeline.vulnerability_findings.dependency_scanning vuln_findings = pipeline.vulnerability_findings.dependency_scanning
vuln_findings.each do |finding| vuln_findings.each do |finding|
dependency = finding.location.dig("dependency") dependency = finding.location.dig("dependency")
...@@ -38,13 +37,6 @@ module Gitlab ...@@ -38,13 +37,6 @@ module Gitlab
report.add_dependency(formatter.format(dependency, '', file, vulnerability)) report.add_dependency(formatter.format(dependency, '', file, vulnerability))
end end
else
report_data.fetch('vulnerabilities', []).each do |vulnerability|
dependency = vulnerability.dig("location", "dependency")
file = vulnerability.dig("location", "file")
report.add_dependency(formatter.format(dependency, '', file, vulnerability))
end
end
end end
def parse_licenses!(json_data, report) def parse_licenses!(json_data, report)
......
...@@ -81,11 +81,9 @@ module Gitlab ...@@ -81,11 +81,9 @@ module Gitlab
vuln_params = { name: vulnerabilities['message'], severity: vulnerabilities['severity'].downcase } vuln_params = { name: vulnerabilities['message'], severity: vulnerabilities['severity'].downcase }
if Feature.enabled?(:standalone_vuln_dependency_list, project)
id = vulnerabilities[:vulnerability_id] id = vulnerabilities[:vulnerability_id]
standalone_vuln_params = { id: id, url: vulnerability_url(id) } standalone_vuln_params = { id: id, url: vulnerability_url(id) }
vuln_params.merge!(standalone_vuln_params) vuln_params.merge!(standalone_vuln_params)
end
[vuln_params] [vuln_params]
end end
......
...@@ -12,10 +12,10 @@ exports[`DependencyVulnerability component given an vulnerability matches the sn ...@@ -12,10 +12,10 @@ exports[`DependencyVulnerability component given an vulnerability matches the sn
/> />
</div> </div>
<span <gl-link-stub
data-testid="vulnerability-name-text" href="/testgroup/testproject/-/security/vulnerabilities/1"
> >
Insecure variable usage Insecure variable usage
</span> </gl-link-stub>
</div> </div>
`; `;
...@@ -47,34 +47,8 @@ describe('DependencyVulnerability component', () => { ...@@ -47,34 +47,8 @@ describe('DependencyVulnerability component', () => {
expect(badge.props().severity).toEqual(vulnerability.severity); expect(badge.props().severity).toEqual(vulnerability.severity);
}); });
it('renders the vulnerability name as text when standaloneVulnerabilityDependencyList Flag is off', () => { it('renders the vulnerability name as a Link', () => {
const text = wrapper.findByTestId('vulnerability-name-text');
expect(text.isVisible()).toBe(true);
expect(text.text()).toBe('Insecure variable usage');
});
it("doesn't render link when standaloneVulnerabilityDependencyList Flag is off", () => {
const link = findLink();
expect(link.exists()).toBe(false);
});
});
describe('Feature Flag on', () => {
const vulnerability = mockDataVulnerabilities[0];
beforeEach(() => {
factory(
{
propsData: {
vulnerability,
},
},
true,
);
});
it('renders the vulnerability name as Link when standaloneVulnerabilityDependencyList Flag is on', () => {
const link = findLink(); const link = findLink();
expect(link.exists()).toBe(true); expect(link.exists()).toBe(true);
expect(link.element.getAttribute('href')).toBe( expect(link.element.getAttribute('href')).toBe(
'/testgroup/testproject/-/security/vulnerabilities/1', '/testgroup/testproject/-/security/vulnerabilities/1',
......
...@@ -49,45 +49,6 @@ RSpec.describe Gitlab::Ci::Parsers::Security::DependencyList do ...@@ -49,45 +49,6 @@ RSpec.describe Gitlab::Ci::Parsers::Security::DependencyList do
end end
end end
context "with vulnerabilities from report" do
let(:artifact) { pipeline.job_artifacts.last }
before do
stub_feature_flags(standalone_vuln_dependency_list: false)
artifact.each_blob do |blob|
parser.parse!(blob, report)
end
end
it 'merge vulnerabilities data' do
vuln_nokogiri = report.dependencies[1][:vulnerabilities]
vuln_debug = report.dependencies[4][:vulnerabilities]
vuln_async = report.dependencies[3][:vulnerabilities]
expect(vuln_nokogiri.size).to eq(4)
expect(vuln_nokogiri[0][:name]).to eq('Vulnerabilities in libxml2 in nokogiri')
expect(vuln_nokogiri[0][:severity]).to eq('high')
expect(vuln_debug.size).to eq(1)
expect(vuln_debug[0][:name]).to eq('Regular Expression Denial of Service in debug')
expect(vuln_async.size).to eq(0)
end
context 'with dependency scanning artifact without dependency_list' do
let(:artifact) { create(:ee_ci_job_artifact, :dependency_scanning) }
before do
artifact.each_blob do |blob|
parser.parse!(blob, report)
end
end
it 'list of dependencies with vulnerabilities' do
expect(report.dependencies.size).to eq(4)
end
end
end
context 'with vulnerabilities in the database' do context 'with vulnerabilities in the database' do
let_it_be(:vulnerability) { create(:vulnerability, report_type: :dependency_scanning) } let_it_be(:vulnerability) { create(:vulnerability, report_type: :dependency_scanning) }
let_it_be(:finding) { create(:vulnerabilities_finding, :with_dependency_scanning_metadata, vulnerability: vulnerability) } let_it_be(:finding) { create(:vulnerabilities_finding, :with_dependency_scanning_metadata, vulnerability: vulnerability) }
......
...@@ -70,8 +70,6 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Formatters::DependencyList do ...@@ -70,8 +70,6 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Formatters::DependencyList do
context 'with vulnerable dependency' do context 'with vulnerable dependency' do
let(:dependency) { parsed_report['dependency_files'][0]['dependencies'][1] } let(:dependency) { parsed_report['dependency_files'][0]['dependencies'][1] }
let(:data) { formatter.format(dependency, package_manager, file_path, vulnerability_data) } let(:data) { formatter.format(dependency, package_manager, file_path, vulnerability_data) }
context 'with feature `standalone vulnerabilities` enabled' do
let_it_be(:standalone_vulnerability) { create(:vulnerability, report_type: :dependency_scanning) } let_it_be(:standalone_vulnerability) { create(:vulnerability, report_type: :dependency_scanning) }
let(:vulnerability_data) do let(:vulnerability_data) do
...@@ -88,22 +86,6 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Formatters::DependencyList do ...@@ -88,22 +86,6 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Formatters::DependencyList do
expect(vulnerability[:severity]).to eq('high') expect(vulnerability[:severity]).to eq('high')
end end
end end
context 'with disabled feature' do
let(:vulnerability_data) { parsed_report['vulnerabilities'].first }
before do
stub_feature_flags(standalone_vuln_dependency_list: false)
end
it 'merge vulnerabilities data' do
vulnerability = data[:vulnerabilities].first
expect(vulnerability[:name]).to eq('Vulnerabilities in libxml2 in nokogiri')
expect(vulnerability[:severity]).to eq('high')
end
end
end
end end
describe 'packager' do describe 'packager' do
......
...@@ -374,20 +374,14 @@ RSpec.describe Ci::Build do ...@@ -374,20 +374,14 @@ RSpec.describe Ci::Build do
before do before do
stub_licensed_features(dependency_scanning: true) stub_licensed_features(dependency_scanning: true)
stub_feature_flags(standalone_vuln_dependency_list: false)
end end
subject { job.collect_dependency_list_reports!(dependency_list_report) } subject { job.collect_dependency_list_reports!(dependency_list_report) }
it 'parses blobs and add the results to the report' do it 'parses blobs and add the results to the report' do
subject subject
blob_path = "/#{project.full_path}/-/blob/#{job.sha}/sast-sample-rails/Gemfile.lock"
netty = dependency_list_report.dependencies.first
ffi = dependency_list_report.dependencies.last
expect(dependency_list_report.dependencies.count).to eq(4) expect(dependency_list_report.dependencies.count).to eq(0)
expect(netty[:name]).to eq('io.netty/netty')
expect(ffi[:location][:blob_path]).to eq(blob_path)
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment