Merge branch '13190-symbolize-vulnerabilities-keys' into 'master'

Symbolize keys for vulnerability

See merge request gitlab-org/gitlab-ee!14976

ee/app/services/security/dependency_list_service.rb

@@ -72,10 +72,8 @@ module Security
     # will have highest severity
     def sort_by_severity(collection)
       collection.sort do |dep_i, dep_j|
-        vuln_i = dep_i[:vulnerabilities]
-        vuln_j = dep_j[:vulnerabilities]
-        level_i = vuln_i.any? ? vuln_i.first['severity'].downcase : :undefined
-        level_j = vuln_j.any? ? vuln_j.first['severity'].downcase : :undefined
+        level_i = dep_i.dig(:vulnerabilities, 0, :severity) || :undefined
+        level_j = dep_j.dig(:vulnerabilities, 0, :severity) || :undefined
 
         ::Vulnerabilities::Occurrence::SEVERITY_LEVELS[level_j] <=> ::Vulnerabilities::Occurrence::SEVERITY_LEVELS[level_i]
       end

ee/lib/gitlab/ci/parsers/security/formatters/dependency_list.rb

@@ -37,7 +37,7 @@ module Gitlab
             # https://gitlab.com/gitlab-org/security-products/analyzers/common/blob/a0a5074c49f34332aa3948cd9d6dc2c054cdf3a7/issue/issue.go#L169
             def location(dependency, file_path)
               {
-                "file" => file_path,
+                'file' => file_path,
                 'dependency' => {
                   'package' => {
                     'name' => dependency['package']['name']
@@ -69,9 +69,16 @@ module Gitlab
             def collect_vulnerabilities(vulnerabilities, dependency, file_path)
               dependency_location = location(dependency, file_path)
 
-              vulnerabilities.select do |vulnerability|
-                vulnerability['location'] == dependency_location
-              end
+              vulnerabilities
+                .select { |vulnerability| vulnerability['location'] == dependency_location }
+                .map { |vulnerability| formatted_vulnerability(vulnerability) }
+            end
+
+            def formatted_vulnerability(vulnerability)
+              {
+                name: vulnerability['name'],
+                severity: vulnerability['severity'].downcase
+              }
             end
           end
         end

ee/spec/lib/gitlab/ci/parsers/security/dependency_list_spec.rb

@@ -37,10 +37,10 @@ describe Gitlab::Ci::Parsers::Security::DependencyList do
         vuln_async = report.dependencies[3][:vulnerabilities]
 
         expect(vuln_nokogiri.size).to eq(4)
-        expect(vuln_nokogiri[0]['name']).to eq('Vulnerabilities in libxml2')
-        expect(vuln_nokogiri[0]['severity']).to eq('High')
+        expect(vuln_nokogiri[0][:name]).to eq('Vulnerabilities in libxml2')
+        expect(vuln_nokogiri[0][:severity]).to eq('high')
         expect(vuln_debug.size).to eq(1)
-        expect(vuln_debug[0]['name']).to eq('Regular Expression Denial of Service')
+        expect(vuln_debug[0][:name]).to eq('Regular Expression Denial of Service')
         expect(vuln_async.size).to eq(0)
       end
     end

ee/spec/lib/gitlab/ci/parsers/security/formatters/dependency_list_spec.rb

@@ -43,9 +43,9 @@ describe Gitlab::Ci::Parsers::Security::Formatters::DependencyList do
         vulnerabilities = data[:vulnerabilities]
 
         expect(vulnerabilities.size).to eq(4)
-        expect(vulnerabilities[0]['name']).to eq('Vulnerabilities in libxml2')
-        expect(vulnerabilities[3]['name']).to eq('Bypass of a protection mechanism in libxslt')
-        expect(vulnerabilities[0]['severity']).to eq('High')
+        expect(vulnerabilities[0][:name]).to eq('Vulnerabilities in libxml2')
+        expect(vulnerabilities[3][:name]).to eq('Bypass of a protection mechanism in libxslt')
+        expect(vulnerabilities[0][:severity]).to eq('high')
       end
     end
   end