Merge branch '12713-vulnerabilities-to-dl-api' into 'master'

Add vulnerabilities to Dependencies API

See merge request gitlab-org/gitlab-ee!15485

ee/changelogs/unreleased/12713-vulnerabilities-to-dl-api.yml

+---
+title: Add vulnerabilities to Dependencies API
+merge_request: 15485
+author:
+type: added

ee/lib/api/dependencies.rb

@@ -37,7 +37,7 @@ module API
 
         dependencies = dependencies_by(declared_params.merge(project: user_project))
 
-        present dependencies, with: ::EE::API::Entities::Dependency
+        present dependencies, with: ::EE::API::Entities::Dependency, user: current_user, project: user_project
       end
     end
   end

ee/lib/ee/api/entities.rb

@@ -739,10 +739,21 @@ module EE
       end
 
       class Dependency < Grape::Entity
+        class Vulnerability < Grape::Entity
+          expose :name, :severity
+        end
+
         expose :name, :version, :package_manager, :dependency_file_path
         expose :dependency_file_path do |dependency|
           dependency[:location][:path]
         end
+        expose :vulnerabilities, using: Vulnerability, if: ->(_, opts) { can_read_vulnerabilities?(opts[:user], opts[:project]) }
+
+        private
+
+        def can_read_vulnerabilities?(user, project)
+          Ability.allowed?(user, :read_project_security_dashboard, project)
+        end
       end
     end
   end

ee/spec/fixtures/api/schemas/public_api/v4/dependencies.json

@@ -20,6 +20,17 @@
       },
       "dependency_file_path": {
         "type": "string"
+      },
+      "vulnerabilities": {
+        "type": "array",
+        "properties": {
+          "name": {
+            "type": "string"
+          },
+          "severity": {
+            "type": "string"
+          }
+        }
       }
     }
   }

ee/spec/requests/api/dependencies_spec.rb

@@ -17,6 +17,7 @@ describe API::Dependencies do
     context 'with an authorized user with proper permissions' do
       before do
         create(:ee_ci_pipeline, :with_dependency_list_report, project: project)
+        project.add_developer(user)
         request
       end
 
@@ -27,6 +28,13 @@ describe API::Dependencies do
         expect(json_response.length).to eq(21)
       end
 
+      it 'returns vulnerabilities info' do
+        vulnerability = json_response.select { |dep| dep['name'] == 'debug' }[0]['vulnerabilities'][0]
+
+        expect(vulnerability['name']).to eq('Regular Expression Denial of Service in debug')
+        expect(vulnerability['severity']).to eq('unknown')
+      end
+
       context 'with filter options' do
         let(:params) { { package_manager: 'yarn' } }
 
@@ -44,6 +52,17 @@ describe API::Dependencies do
       end
     end
 
+    context 'without permissions to see vulnerabilities' do
+      before do
+        create(:ee_ci_pipeline, :with_dependency_list_report, project: project)
+        request
+      end
+
+      it 'returns empty vulnerabilities' do
+        expect(json_response.first['vulnerabilities']).to be_nil
+      end
+    end
+
     context 'with authorized user without read permissions' do
       let(:project) { create(:project, :private) }