Corpus management row in configuration page

* Add row to configuration page for corpus management

Corpus management row in configuration page
* Add row to configuration page for corpus management
3fc05282 · Fernando · 3053566e · 3fc05282 · 3fc05282 · 3fc05282
Commit 3fc05282 authored Aug 31, 2021 by Fernando
7 changed files
--- a/app/assets/javascripts/security_configuration/components/constants.js
+++ b/app/assets/javascripts/security_configuration/components/constants.js
@@ -10,6 +10,7 @@ import {
  REPORT_TYPE_CONTAINER_SCANNING,
  REPORT_TYPE_CLUSTER_IMAGE_SCANNING,
  REPORT_TYPE_COVERAGE_FUZZING,
+  REPORT_TYPE_CORPUS_MANAGEMENT,
  REPORT_TYPE_API_FUZZING,
  REPORT_TYPE_LICENSE_COMPLIANCE,
 } from '~/vue_shared/security_reports/constants';
@@ -104,6 +105,12 @@ export const COVERAGE_FUZZING_CONFIG_HELP_PATH = helpPagePath(
  { anchor: 'configuration' },
 );

+export const CORPUS_MANAGEMENT_NAME = __('Corpus Management');
+export const CORPUS_MANAGEMENT_DESCRIPTION = s__(
+  'SecurityConfiguration|Manage corpus files used as mutation sources in coverage fuzzing.',
+);
+export const CORPUS_MANAGEMENT_CONFIG_TEXT = s__('SecurityConfiguration|Manage corpus');
+
 export const API_FUZZING_NAME = __('API Fuzzing');
 export const API_FUZZING_DESCRIPTION = __('Find bugs in your code with API fuzzing.');
 export const API_FUZZING_HELP_PATH = helpPagePath('user/application_security/api_fuzzing/index');
@@ -202,6 +209,14 @@ export const securityFeatures = [
    helpPath: COVERAGE_FUZZING_HELP_PATH,
    configurationHelpPath: COVERAGE_FUZZING_CONFIG_HELP_PATH,
    type: REPORT_TYPE_COVERAGE_FUZZING,
+    secondary: gon?.features?.corpusManagement
+      ? {
+          type: REPORT_TYPE_CORPUS_MANAGEMENT,
+          name: CORPUS_MANAGEMENT_NAME,
+          description: CORPUS_MANAGEMENT_DESCRIPTION,
+          configurationText: CORPUS_MANAGEMENT_CONFIG_TEXT,
+        }
+      : {},
  },
 ];


--- a/app/assets/javascripts/vue_shared/security_reports/constants.js
+++ b/app/assets/javascripts/vue_shared/security_reports/constants.js
@@ -24,6 +24,7 @@ export const REPORT_TYPE_DEPENDENCY_SCANNING = 'dependency_scanning';
 export const REPORT_TYPE_CONTAINER_SCANNING = 'container_scanning';
 export const REPORT_TYPE_CLUSTER_IMAGE_SCANNING = 'cluster_image_scanning';
 export const REPORT_TYPE_COVERAGE_FUZZING = 'coverage_fuzzing';
+export const REPORT_TYPE_CORPUS_MANAGEMENT = 'corpus_management';
 export const REPORT_TYPE_LICENSE_COMPLIANCE = 'license_scanning';
 export const REPORT_TYPE_API_FUZZING = 'api_fuzzing';


--- a/ee/app/controllers/ee/projects/security/configuration_controller.rb
+++ b/ee/app/controllers/ee/projects/security/configuration_controller.rb
@@ -14,6 +14,7 @@ module EE

          before_action only: [:show] do
            push_frontend_feature_flag(:security_auto_fix, project, default_enabled: false)
+            push_frontend_feature_flag(:corpus_management, project, default_enabled: :yaml)
          end

          before_action only: [:auto_fix] do

--- a/ee/app/presenters/projects/security/configuration_presenter.rb
+++ b/ee/app/presenters/projects/security/configuration_presenter.rb
@@ -61,7 +61,8 @@ module Projects
          scan(scan_type, configured: scanner_enabled?(scan_type))
        end

-        # DAST On-demand scans is a static (non job) entry.  Add it manually.
+        # These scans are "fake" (non job) entries. Add them manually.
+        scans << scan(:corpus_management, configured: true)
        scans << scan(:dast_profiles, configured: true)
      end

@@ -93,7 +94,8 @@ module Projects
          sast: project_security_configuration_sast_path(project),
          dast: project_security_configuration_dast_path(project),
          dast_profiles: project_security_configuration_dast_scans_path(project),
-          api_fuzzing: project_security_configuration_api_fuzzing_path(project)
+          api_fuzzing: project_security_configuration_api_fuzzing_path(project),
+          corpus_management: (project_security_configuration_corpus_management_path(project) if ::Feature.enabled?(:corpus_management, project, default_enabled: :yaml) && scanner_enabled?(:coverage_fuzzing))
        }[type]
      end


--- a/ee/spec/controllers/projects/security/configuration_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/configuration_controller_spec.rb
@@ -62,7 +62,7 @@ RSpec.describe Projects::Security::ConfigurationController do
      it 'responds in json format when requested' do
        get :show, params: { namespace_id: project.namespace, project_id: project, format: :json }

-        types = %w(sast dast dast_profiles dependency_scanning container_scanning cluster_image_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing)
+        types = %w(sast dast dast_profiles dependency_scanning container_scanning cluster_image_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing corpus_management)

        expect(response).to have_gitlab_http_status(:ok)
        expect(json_response['features'].map { |f| f['type'] }).to match_array(types)
@@ -188,6 +188,7 @@ RSpec.describe Projects::Security::ConfigurationController do

      before do
        stub_feature_flags(security_auto_fix: false)
+        stub_feature_flags(corpus_management: false)

        request
      end

--- a/ee/spec/presenters/projects/security/configuration_presenter_spec.rb
+++ b/ee/spec/presenters/projects/security/configuration_presenter_spec.rb
@@ -90,7 +90,67 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
          security_scan(:secret_detection, configured: true),
          security_scan(:coverage_fuzzing, configured: false),
          security_scan(:api_fuzzing, configured: false),
-          security_scan(:dast_profiles, configured: true)
+          security_scan(:dast_profiles, configured: true),
+          security_scan(:corpus_management, configured: true)
+        )
+      end
+    end
+
+    context "when coverage fuzzing has run in a pipeline with feature flag off" do
+      before do
+        pipeline = create(
+          :ci_pipeline,
+          :auto_devops_source,
+          project: project,
+          ref: project.default_branch,
+          sha: project.commit.sha
+        )
+        create(:ee_ci_build, :coverage_fuzzing, pipeline: pipeline, status: 'success')
+      end
+
+      it 'reports that coverage fuzzing, corpus management, and DAST are configured' do
+        expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
+          security_scan(:dast, configured: false),
+          security_scan(:sast, configured: false),
+          security_scan(:container_scanning, configured: false),
+          security_scan(:cluster_image_scanning, configured: false),
+          security_scan(:dependency_scanning, configured: false),
+          security_scan(:license_scanning, configured: false),
+          security_scan(:secret_detection, configured: false),
+          security_scan(:coverage_fuzzing, configured: false),
+          security_scan(:api_fuzzing, configured: false),
+          security_scan(:dast_profiles, configured: true),
+          security_scan(:corpus_management, configured: true)
+        )
+      end
+    end
+
+    context "when coverage fuzzing has run in a pipeline with feature flag on" do
+      before do
+        stub_feature_flags(corpus_management: true)
+        pipeline = create(
+          :ci_pipeline,
+          :auto_devops_source,
+          project: project,
+          ref: project.default_branch,
+          sha: project.commit.sha
+        )
+        create(:ee_ci_build, :coverage_fuzzing, pipeline: pipeline, status: 'success')
+      end
+
+      it 'reports that coverage fuzzing, corpus management, and DAST are configured' do
+        expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
+          security_scan(:dast, configured: false),
+          security_scan(:sast, configured: false),
+          security_scan(:container_scanning, configured: false),
+          security_scan(:cluster_image_scanning, configured: false),
+          security_scan(:dependency_scanning, configured: false),
+          security_scan(:license_scanning, configured: false),
+          security_scan(:secret_detection, configured: false),
+          security_scan(:coverage_fuzzing, configured: false),
+          security_scan(:api_fuzzing, configured: false),
+          security_scan(:dast_profiles, configured: true),
+          security_scan(:corpus_management, configured: true)
        )
      end
    end
@@ -115,7 +175,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
          security_scan(:secret_detection, configured: false),
          security_scan(:coverage_fuzzing, configured: false),
          security_scan(:api_fuzzing, configured: false),
-          security_scan(:dast_profiles, configured: true)
+          security_scan(:dast_profiles, configured: true),
+          security_scan(:corpus_management, configured: true)
        )
      end
    end
@@ -147,7 +208,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
          security_scan(:license_scanning, configured: false),
          security_scan(:secret_detection, configured: true),
          security_scan(:coverage_fuzzing, configured: false),
-          security_scan(:api_fuzzing, configured: false)
+          security_scan(:api_fuzzing, configured: false),
+          security_scan(:corpus_management, configured: true)
        )
      end

@@ -171,7 +233,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
          security_scan(:license_scanning, configured: false),
          security_scan(:secret_detection, configured: false),
          security_scan(:coverage_fuzzing, configured: false),
-          security_scan(:api_fuzzing, configured: false)
+          security_scan(:api_fuzzing, configured: false),
+          security_scan(:corpus_management, configured: true)
        )
      end

@@ -188,7 +251,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
          security_scan(:license_scanning, configured: true),
          security_scan(:secret_detection, configured: true),
          security_scan(:coverage_fuzzing, configured: false),
-          security_scan(:api_fuzzing, configured: false)
+          security_scan(:api_fuzzing, configured: false),
+          security_scan(:corpus_management, configured: true)
        )
      end

@@ -257,7 +321,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
      dast: project_security_configuration_dast_path(project),
      dast_profiles: project_security_configuration_dast_scans_path(project),
      sast: project_security_configuration_sast_path(project),
-      api_fuzzing: project_security_configuration_api_fuzzing_path(project)
+      api_fuzzing: project_security_configuration_api_fuzzing_path(project),
+      corpus_management: nil
    }[type]
  end


--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -9240,6 +9240,9 @@ msgstr ""
 msgid "Copy value"
 msgstr ""

+msgid "Corpus Management"
+msgstr ""
+
 msgid "Corpus Management|Are you sure you want to delete the corpus?"
 msgstr ""

@@ -29758,6 +29761,12 @@ msgstr ""
 msgid "SecurityConfiguration|Immediately begin risk analysis and remediation with application security features. Start with SAST and Secret Detection, available to all plans. Upgrade to Ultimate to get all features, including:"
 msgstr ""

+msgid "SecurityConfiguration|Manage corpus"
+msgstr ""
+
+msgid "SecurityConfiguration|Manage corpus files used as mutation sources in coverage fuzzing."
+msgstr ""
+
 msgid "SecurityConfiguration|Manage profiles for use by DAST scans."
 msgstr ""