Merge branch 'parse-fields-for-secure-tracking' into 'master'

Parse fields for use in Secure tracking See merge request gitlab-org/gitlab!64586

Merge branch 'parse-fields-for-secure-tracking' into 'master'
Parse fields for use in Secure tracking See merge request gitlab-org/gitlab!64586
36110f35 · Sean McGivern · 4df0f319 · 695389c6 · 36110f35 · 36110f35
Commit 36110f35 authored Jun 25, 2021 by Sean McGivern
8 changed files
--- a/ee/lib/gitlab/ci/parsers/security/common.rb
+++ b/ee/lib/gitlab/ci/parsers/security/common.rb
@@ -25,6 +25,8 @@ module Gitlab

            create_scanner
            create_scan
+            create_analyzer
+            set_report_version
            collate_remediations.each { |vulnerability| create_vulnerability(vulnerability) }

            report_data
@@ -67,6 +69,10 @@ module Gitlab
            @scan_data ||= report_data.dig('scan')
          end

+          def analyzer_data
+            @analyzer_data ||= report_data.dig('scan', 'analyzer')
+          end
+
          # map remediations to relevant vulnerabilities
          def collate_remediations
            return report_data["vulnerabilities"] || [] unless report_data["remediations"]
@@ -166,6 +172,25 @@ module Gitlab
            report.scan = ::Gitlab::Ci::Reports::Security::Scan.new(scan_data)
          end

+          def set_report_version
+            report.version = report_version
+          end
+
+          def create_analyzer
+            return unless analyzer_data.is_a?(Hash)
+
+            params = {
+              id: analyzer_data.dig('id'),
+              name: analyzer_data.dig('name'),
+              version: analyzer_data.dig('version'),
+              vendor: analyzer_data.dig('vendor', 'name')
+            }
+
+            return unless params.values.all?
+
+            report.analyzer = ::Gitlab::Ci::Reports::Security::Analyzer.new(**params)
+          end
+
          def create_scanner(scanner_data = top_level_scanner)
            return unless scanner_data.is_a?(Hash)

@@ -173,7 +198,8 @@ module Gitlab
              ::Gitlab::Ci::Reports::Security::Scanner.new(
                external_id: scanner_data['id'],
                name: scanner_data['name'],
-                vendor: scanner_data.dig('vendor', 'name')))
+                vendor: scanner_data.dig('vendor', 'name'),
+                version: scanner_data.dig('version')))
          end

          def create_identifiers(identifiers)

--- a/ee/lib/gitlab/ci/reports/security/analyzer.rb
+++ b/ee/lib/gitlab/ci/reports/security/analyzer.rb
+# frozen_string_literal: true
+
+module Gitlab
+  module Ci
+    module Reports
+      module Security
+        class Analyzer
+          attr_reader :id, :name, :version, :vendor
+
+          def initialize(id:, name:, version:, vendor:)
+            @id = id
+            @name = name
+            @version = version
+            @vendor = vendor
+          end
+        end
+      end
+    end
+  end
+end
--- a/ee/lib/gitlab/ci/reports/security/report.rb
+++ b/ee/lib/gitlab/ci/reports/security/report.rb
@@ -6,7 +6,7 @@ module Gitlab
      module Security
        class Report
          attr_reader :created_at, :type, :pipeline, :findings, :scanners, :identifiers
-          attr_accessor :scan, :scanned_resources, :errors
+          attr_accessor :scan, :scanned_resources, :errors, :analyzer, :version

          delegate :project_id, to: :pipeline


--- a/ee/lib/gitlab/ci/reports/security/scanner.rb
+++ b/ee/lib/gitlab/ci/reports/security/scanner.rb
@@ -15,14 +15,15 @@ module Gitlab
            "semgrep" =>  2
          }.freeze

-          attr_accessor :external_id, :name, :vendor
+          attr_accessor :external_id, :name, :vendor, :version

          alias_method :key, :external_id

-          def initialize(external_id:, name:, vendor:)
+          def initialize(external_id:, name:, vendor:, version:)
            @external_id = external_id
            @name = name
            @vendor = vendor
+            @version = version
          end

          def to_hash

--- a/ee/spec/factories/ci/reports/security/scanners.rb
+++ b/ee/spec/factories/ci/reports/security/scanners.rb
@@ -5,6 +5,7 @@ FactoryBot.define do
    external_id { 'find_sec_bugs' }
    name { 'Find Security Bugs' }
    vendor { 'Security Scanner Vendor' }
+    version { '1.0.0' }

    skip_create


--- a/ee/spec/fixtures/security_reports/master/gl-common-scanning-report.json
+++ b/ee/spec/fixtures/security_reports/master/gl-common-scanning-report.json
@@ -133,6 +133,15 @@
    ],
    "dependency_files": [],
    "scan": {
+      "analyzer": {
+          "id": "common-analyzer",
+          "name": "Common Analyzer",
+          "url": "https://site.com/analyzer/common",
+          "version": "2.0.1",
+          "vendor": {
+            "name": "Common"
+          }
+        },
        "scanner": {
            "id": "gemnasium",
            "name": "Gemnasium",
@@ -146,5 +155,6 @@
        "start_time": "placeholder-value",
        "end_time": "placeholder-value",
        "status": "success"
-    }
+    },
+    "version": "14.0.2"
 }
--- a/ee/spec/lib/gitlab/ci/parsers/security/common_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/security/common_spec.rb
@@ -195,6 +195,22 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do
        end
      end

+      describe 'top-level scanner' do
+        it 'is the primary scanner' do
+          expect(report.primary_scanner.external_id).to eq('gemnasium')
+          expect(report.primary_scanner.name).to eq('Gemnasium')
+          expect(report.primary_scanner.vendor).to eq('GitLab')
+          expect(report.primary_scanner.version).to eq('2.18.0')
+        end
+
+        it 'returns nil report has no scanner' do
+          empty_report = Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, 2.weeks.ago)
+          described_class.parse!({}.to_json, empty_report)
+
+          expect(empty_report.primary_scanner).to be_nil
+        end
+      end
+
      describe 'parsing scanners' do
        subject(:scanner) { report.findings.first.scanner }

@@ -225,6 +241,35 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do
        end
      end

+      describe 'parsing schema version' do
+        it 'parses the version' do
+          expect(report.version).to eq('14.0.2')
+        end
+
+        it 'returns nil when there is no version' do
+          empty_report = Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, 2.weeks.ago)
+          described_class.parse!({}.to_json, empty_report)
+
+          expect(empty_report.version).to be_nil
+        end
+      end
+
+      describe 'parsing analyzer' do
+        it 'associates analyzer with report' do
+          expect(report.analyzer.id).to eq('common-analyzer')
+          expect(report.analyzer.name).to eq('Common Analyzer')
+          expect(report.analyzer.version).to eq('2.0.1')
+          expect(report.analyzer.vendor).to eq('Common')
+        end
+
+        it 'returns nil when analyzer data is not available' do
+          empty_report = Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, 2.weeks.ago)
+          described_class.parse!({}.to_json, empty_report)
+
+          expect(empty_report.analyzer).to be_nil
+        end
+      end
+
      describe 'parsing links' do
        it 'returns links object for each finding', :aggregate_failures do
          links = report.findings.flat_map(&:links)

--- a/ee/spec/lib/gitlab/ci/reports/security/scanner_spec.rb
+++ b/ee/spec/lib/gitlab/ci/reports/security/scanner_spec.rb
@@ -10,7 +10,8 @@ RSpec.describe Gitlab::Ci::Reports::Security::Scanner do
      {
        external_id: 'brakeman',
        name: 'Brakeman',
-        vendor: 'GitLab'
+        vendor: 'GitLab',
+        version: '1.0.1'
      }
    end