Merge branch 'remove-legacy-group-vuln-routes' into 'master'

Remove legacy vulnerability findings endpoints

See merge request gitlab-org/gitlab!21585

ee/app/controllers/concerns/vulnerabilities_api_feature_gate.rb

-# frozen_string_literal: true
-
-# TODO: remove this module and its usages when :first_class_vulnerabilities feature flag is removed
-# https://gitlab.com/gitlab-org/gitlab/issues/33488
-module VulnerabilitiesApiFeatureGate
-  extend ActiveSupport::Concern
-
-  included do
-    before_action :verify_vulnerabilities_action_enabled!
-
-    def verify_vulnerabilities_action_enabled!
-      access_denied! unless vulnerabilities_action_enabled?
-    end
-
-    def vulnerabilities_action_enabled?
-      raise NotImplementedError('Must be implemented in the including controller class')
-    end
-  end
-end

ee/app/controllers/groups/security/vulnerabilities_controller.rb

-# frozen_string_literal: true
-
-class Groups::Security::VulnerabilitiesController < Groups::ApplicationController
-  include VulnerabilitiesApiFeatureGate # must come first
-  include SecurityDashboardsPermissions
-  include ProjectCollectionVulnerabilityFindingsActions
-
-  alias_method :vulnerable, :group
-
-  private
-
-  # See the table below to understand the relation between first_class_vulnerabilities feature state and
-  # Group Security Dashboard controller being used:
-  #
-  # | first_class_vulnerabilities | controller to use                     |
-  # |---------------------------- | ------------------------------------- |
-  # | enabled                     | groups/security/vulnerability_findings |
-  # | disabled                    | groups/security/vulnerabilities        |
-  #
-  # The reason is that when first_class_vulnerabilities is enabled, Vulnerabilities name is reserved for
-  # Standalone Vulnerabilities https://gitlab.com/gitlab-org/gitlab/issues/13561, and the entity that
-  # was previously returned by Vulnerabilities-named endpoints get the name of Vulnerability Findings.
-  # See also: https://gitlab.com/gitlab-org/gitlab/merge_requests/19029
-  def vulnerabilities_action_enabled?
-    Feature.disabled?(:first_class_vulnerabilities)
-  end
-end

ee/app/controllers/groups/security/vulnerability_findings_controller.rb

 # frozen_string_literal: true
 
 class Groups::Security::VulnerabilityFindingsController < Groups::ApplicationController
-  include VulnerabilitiesApiFeatureGate # must come first
   include SecurityDashboardsPermissions
   include ProjectCollectionVulnerabilityFindingsActions
 
   alias_method :vulnerable, :group
-
-  private
-
-  # See the table below to understand the relation between first_class_vulnerabilities feature state and
-  # Group Security Dashboard controller being used:
-  #
-  # | first_class_vulnerabilities | controller to use                     |
-  # |---------------------------- | ------------------------------------- |
-  # | enabled                     | groups/security/vulnerability_findings |
-  # | disabled                    | groups/security/vulnerabilities        |
-  #
-  # The reason is that when first_class_vulnerabilities is enabled, Vulnerabilities name is reserved for
-  # Standalone Vulnerabilities https://gitlab.com/gitlab-org/gitlab/issues/13561, and the entity that
-  # was previously returned by Vulnerabilities-named endpoints get the name of Vulnerability Findings.
-  # See also: https://gitlab.com/gitlab-org/gitlab/merge_requests/19029
-  def vulnerabilities_action_enabled?
-    Feature.enabled?(:first_class_vulnerabilities)
-  end
 end

ee/app/controllers/projects/security/vulnerabilities_controller.rb

-# frozen_string_literal: true
-
-class Projects::Security::VulnerabilitiesController < Projects::ApplicationController
-  include VulnerabilitiesApiFeatureGate # must come first
-  include SecurityDashboardsPermissions
-  include ProjectVulnerabilityFindingsActions
-
-  alias_method :vulnerable, :project
-
-  private
-
-  # See the table below to understand the relation between first_class_vulnerabilities feature state and
-  # Group Security Dashboard controller being used:
-  #
-  # | first_class_vulnerabilities | controller to use                        |
-  # |---------------------------- | ---------------------------------------- |
-  # | enabled                     | projects/security/vulnerability_findings |
-  # | disabled                    | projects/security/vulnerabilities        |
-  #
-  # The reason is that when first_class_vulnerabilities is enabled, Vulnerabilities name is reserved for
-  # Standalone Vulnerabilities https://gitlab.com/gitlab-org/gitlab/issues/13561, and the entity that
-  # was previously returned by Vulnerabilities-named endpoints get the name of Vulnerability Findings.
-  # See also: https://gitlab.com/gitlab-org/gitlab/merge_requests/19029
-  def vulnerabilities_action_enabled?
-    Feature.disabled?(:first_class_vulnerabilities)
-  end
-end

ee/app/controllers/projects/security/vulnerability_findings_controller.rb

 # frozen_string_literal: true
 
 class Projects::Security::VulnerabilityFindingsController < Projects::ApplicationController
-  include VulnerabilitiesApiFeatureGate # must come first
   include SecurityDashboardsPermissions
   include ProjectVulnerabilityFindingsActions
 
   alias_method :vulnerable, :project
-
-  private
-
-  # See the table below to understand the relation between first_class_vulnerabilities feature state and
-  # Group Security Dashboard controller being used:
-  #
-  # | first_class_vulnerabilities | controller to use                        |
-  # |---------------------------- | ---------------------------------------- |
-  # | enabled                     | projects/security/vulnerability_findings |
-  # | disabled                    | projects/security/vulnerabilities        |
-  #
-  # The reason is that when first_class_vulnerabilities is enabled, Vulnerabilities name is reserved for
-  # Standalone Vulnerabilities https://gitlab.com/gitlab-org/gitlab/issues/13561, and the entity that
-  # was previously returned by Vulnerabilities-named endpoints get the name of Vulnerability Findings.
-  # See also: https://gitlab.com/gitlab-org/gitlab/merge_requests/19029
-  def vulnerabilities_action_enabled?
-    Feature.enabled?(:first_class_vulnerabilities)
-  end
 end

ee/app/helpers/ee/groups_helper.rb

@@ -60,33 +60,6 @@ module EE
       { group_id: group }
     end
 
-    def group_vulnerabilities_endpoint_path(group)
-      params = group_path_params(group)
-      if ::Feature.enabled?(:first_class_vulnerabilities)
-        group_security_vulnerability_findings_path(params)
-      else
-        group_security_vulnerabilities_path(params)
-      end
-    end
-
-    def group_vulnerabilities_summary_endpoint_path(group)
-      params = group_path_params(group)
-      if ::Feature.enabled?(:first_class_vulnerabilities)
-        summary_group_security_vulnerability_findings_path(params)
-      else
-        summary_group_security_vulnerabilities_path(params)
-      end
-    end
-
-    def group_vulnerabilities_history_endpoint_path(group)
-      params = group_path_params(group)
-      if ::Feature.enabled?(:first_class_vulnerabilities)
-        history_group_security_vulnerability_findings_path(params)
-      else
-        history_group_security_vulnerabilities_path(params)
-      end
-    end
-
     private
 
     def get_group_sidebar_links

ee/app/helpers/ee/projects_helper.rb

@@ -201,8 +201,8 @@ module EE
       else
         {
           project: { id: project.id, name: project.name },
-          vulnerabilities_endpoint: project_vulnerabilities_endpoint_path(project),
-          vulnerabilities_summary_endpoint: project_vulnerabilities_summary_endpoint_path(project),
+          vulnerabilities_endpoint: project_security_vulnerability_findings_path(project),
+          vulnerabilities_summary_endpoint: summary_project_security_vulnerability_findings_path(project),
           vulnerability_feedback_help_path: help_page_path("user/application_security/index", anchor: "interacting-with-the-vulnerabilities"),
           empty_state_svg_path: image_path('illustrations/security-dashboard-empty-state.svg'),
           dashboard_documentation: help_page_path('user/application_security/security_dashboard/index'),
@@ -222,22 +222,6 @@ module EE
       end
     end
 
-    def project_vulnerabilities_endpoint_path(project)
-      if ::Feature.enabled?(:first_class_vulnerabilities)
-        project_security_vulnerability_findings_path(project)
-      else
-        project_security_vulnerabilities_path(project)
-      end
-    end
-
-    def project_vulnerabilities_summary_endpoint_path(project)
-      if ::Feature.enabled?(:first_class_vulnerabilities)
-        summary_project_security_vulnerability_findings_path(project)
-      else
-        summary_project_security_vulnerabilities_path(project)
-      end
-    end
-
     def can_create_feedback?(project, feedback_type)
       feedback = Vulnerabilities::Feedback.new(project: project, feedback_type: feedback_type)
       can?(current_user, :create_vulnerability_feedback, feedback)

ee/app/views/groups/security/dashboard/show.html.haml

 - breadcrumb_title _("Security Dashboard")
 - page_title _("Security Dashboard")
 
-#js-group-security-dashboard{ data: { vulnerabilities_endpoint: group_vulnerabilities_endpoint_path(@group),
-  vulnerabilities_summary_endpoint: group_vulnerabilities_summary_endpoint_path(@group),
-  vulnerabilities_history_endpoint: group_vulnerabilities_history_endpoint_path(@group),
+#js-group-security-dashboard{ data: { vulnerabilities_endpoint: group_security_vulnerability_findings_path(@group),
+  vulnerabilities_summary_endpoint: summary_group_security_vulnerability_findings_path(@group),
+  vulnerabilities_history_endpoint: history_group_security_vulnerability_findings_path(@group),
   projects_endpoint: expose_url(api_v4_groups_projects_path(id: @group.id)),
   vulnerability_feedback_help_path: help_page_path("user/application_security/index", anchor: "interacting-with-the-vulnerabilities"),
   empty_state_svg_path: image_path('illustrations/security-dashboard-empty-state.svg'),

ee/config/routes/group.rb

@@ -112,17 +112,7 @@ constraints(::Constraints::GroupUrlConstrainer.new) do
     namespace :security do
       resource :dashboard, only: [:show], controller: :dashboard
       resources :vulnerable_projects, only: [:index]
-      # We have to define both legacy and new routes for Vulnerability Findings
-      # because they are loaded upon application initialization and preloaded by
-      # web server.
-      # TODO: remove this comment and `resources :vulnerabilities` when feature flag is removed
-      # see https://gitlab.com/gitlab-org/gitlab/issues/33488
-      resources :vulnerabilities, only: [:index] do
-        collection do
-          get :summary
-          get :history
-        end
-      end
+
       resources :vulnerability_findings, only: [:index] do
         collection do
           get :summary

ee/config/routes/project.rb

@@ -170,16 +170,6 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
         resource :dashboard, only: [:show], controller: :dashboard
         resource :configuration, only: [:show], controller: :configuration
 
-        # We have to define both legacy and new routes for Vulnerability Findings
-        # because they are loaded upon application initialization and preloaded by
-        # web server.
-        # TODO: remove this comment and `resources :vulnerabilities` when applicable
-        # see https://gitlab.com/gitlab-org/gitlab/issues/33488
-        resources :vulnerabilities, only: [:index] do
-          collection do
-            get :summary
-          end
-        end
         resources :vulnerability_findings, only: [:index] do
           collection do
             get :summary

ee/spec/controllers/groups/security/vulnerabilities_controller_spec.rb

-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe Groups::Security::VulnerabilitiesController do
-  let(:group) { create(:group) }
-  let(:params) { { group_id: group } }
-  let(:user) { create(:user) }
-
-  # when new Vulnerability Findings API is enabled this controller is not,
-  # its actions are "moved" Groups::Security::VulnerabilityFindingsController
-
-  it_behaves_like 'ProjectVulnerabilityFindingsActions disabled' do
-    let(:vulnerable) { group }
-    let(:vulnerable_params) { params }
-  end
-
-  it_behaves_like 'SecurityDashboardsPermissions disabled' do
-    let(:vulnerable) { group }
-    let(:security_dashboard_action) { get :index, params: params, format: :json }
-  end
-
-  it_behaves_like 'disabled group vulnerability findings controller'
-
-  context 'when new Vulnerability Findings API is disabled' do
-    before do
-      stub_feature_flags(first_class_vulnerabilities: false)
-    end
-
-    # when new Vulnerability Findings API is disabled, we fall back to this controller
-
-    it_behaves_like ProjectVulnerabilityFindingsActions do
-      let(:vulnerable) { group }
-      let(:vulnerable_params) { params }
-    end
-
-    it_behaves_like SecurityDashboardsPermissions do
-      let(:vulnerable) { group }
-      let(:security_dashboard_action) { get :index, params: params, format: :json }
-    end
-
-    it_behaves_like 'group vulnerability findings controller'
-  end
-end

ee/spec/controllers/groups/security/vulnerability_findings_controller_spec.rb

@@ -7,8 +7,6 @@ describe Groups::Security::VulnerabilityFindingsController do
   let(:params) { { group_id: group } }
   let(:user) { create(:user) }
 
-  # when new Vulnerability Findings API is enabled, this controller is enabled as well
-
   it_behaves_like ProjectVulnerabilityFindingsActions do
     let(:vulnerable) { group }
     let(:vulnerable_params) { params }
@@ -19,26 +17,117 @@ describe Groups::Security::VulnerabilityFindingsController do
     let(:security_dashboard_action) { get :index, params: params, format: :json }
   end
 
-  it_behaves_like 'group vulnerability findings controller'
+  describe 'GET index.json' do
+    before do
+      sign_in(user)
+      stub_licensed_features(security_dashboard: true)
+      group.add_developer(user)
+    end
+
+    it 'returns vulnerabilities for all projects in the group' do
+      # create projects for the group
+      2.times do
+        project = create(:project, namespace: group)
+        pipeline = create(:ci_pipeline, :success, project: project)
+
+        create(:vulnerabilities_occurrence, pipelines: [pipeline], project: project, severity: :high)
+      end
+
+      # create an ungrouped project to ensure we don't include it
+      project = create(:project)
+      pipeline = create(:ci_pipeline, :success, project: project)
+      create(:vulnerabilities_occurrence, pipelines: [pipeline], project: project, severity: :high)
+
+      get :index, params: { group_id: group }, format: :json
+
+      expect(json_response.count).to be(2)
+    end
+  end
+
+  describe 'GET history.json' do
+    let(:params) { { group_id: group } }
+    let(:project) { create(:project, namespace: group) }
+    let(:pipeline) { create(:ci_pipeline, :success, project: project) }
 
-  context 'when new Vulnerability Findings API is disabled' do
     before do
-      stub_feature_flags(first_class_vulnerabilities: false)
+      sign_in(user)
+      stub_licensed_features(security_dashboard: true)
+      group.add_developer(user)
+
+      travel_to(Time.zone.parse('2018-11-10')) do
+        create(:vulnerabilities_occurrence,
+                pipelines: [pipeline],
+                project: project,
+                report_type: :sast,
+                severity: :critical)
+
+        create(:vulnerabilities_occurrence,
+                pipelines: [pipeline],
+                project: project,
+                report_type: :dependency_scanning,
+                severity: :low)
+      end
+
+      travel_to(Time.zone.parse('2018-11-12')) do
+        create(:vulnerabilities_occurrence,
+                pipelines: [pipeline],
+                project: project,
+                report_type: :sast,
+                severity: :critical)
+
+        create(:vulnerabilities_occurrence,
+                pipelines: [pipeline],
+                project: project,
+                report_type: :dependency_scanning,
+                severity: :low)
+      end
     end
 
-    # when new Vulnerability Findings API is disabled, this controller is disabled as well
-    # and its actions are "moved" to Groups::Security::VulnerabilitiesController
+    subject { get :history, params: params, format: :json }
 
-    it_behaves_like 'ProjectVulnerabilityFindingsActions disabled' do
-      let(:vulnerable) { group }
-      let(:vulnerable_params) { params }
+    it 'returns vulnerability history within last 90 days' do
+      travel_to(Time.zone.parse('2019-02-11')) do
+        subject
+      end
+
+      expect(response).to have_gitlab_http_status(200)
+      expect(json_response['total']).to eq({ '2018-11-12' => 2 })
+      expect(json_response['critical']).to eq({ '2018-11-12' => 1 })
+      expect(json_response['low']).to eq({ '2018-11-12' => 1 })
+      expect(response).to match_response_schema('vulnerabilities/history', dir: 'ee')
     end
 
-    it_behaves_like 'SecurityDashboardsPermissions disabled' do
-      let(:vulnerable) { group }
-      let(:security_dashboard_action) { get :index, params: params, format: :json }
+    it 'returns empty history if there are no vulnerabilities within last 90 days' do
+      travel_to(Time.zone.parse('2019-02-13')) do
+        subject
+      end
+
+      expect(json_response).to eq({
+        "undefined" => {},
+        "info" => {},
+        "unknown" => {},
+        "low" => {},
+        "medium" => {},
+        "high" => {},
+        "critical" => {},
+        "total" => {}
+      })
     end
 
-    it_behaves_like 'disabled group vulnerability findings controller'
+    context 'with a report type filter' do
+      let(:params) { { group_id: group, report_type: %w[sast] } }
+
+      before do
+        travel_to(Time.zone.parse('2019-02-11')) do
+          subject
+        end
+      end
+
+      it 'returns filtered history if filters are enabled' do
+        expect(json_response['total']).to eq({ '2018-11-12' => 1 })
+        expect(json_response['critical']).to eq({ '2018-11-12' => 1 })
+        expect(json_response['low']).to eq({})
+      end
+    end
   end
 end

ee/spec/controllers/projects/security/vulnerabilities_controller_spec.rb

-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe Projects::Security::VulnerabilitiesController do
-  let(:project) { create(:project) }
-  let(:params) { { project_id: project, namespace_id: project.creator } }
-
-  # when new Vulnerability Findings API is enabled, this controller is not
-  # and its actions are "moved" to Projects::Security::VulnerabilityFindingsController
-
-  it_behaves_like 'ProjectVulnerabilityFindingsActions disabled' do
-    let(:vulnerable) { project }
-    let(:vulnerable_params) { params }
-  end
-
-  it_behaves_like 'SecurityDashboardsPermissions disabled' do
-    let(:vulnerable) { project }
-    let(:security_dashboard_action) { get :index, params: params, format: :json }
-  end
-
-  context 'when new Vulnerability Findings API is disabled' do
-    before do
-      stub_feature_flags(first_class_vulnerabilities: false)
-    end
-
-    # when new Vulnerability Findings API is disabled, we fall back to this controller
-
-    it_behaves_like ProjectVulnerabilityFindingsActions do
-      let(:vulnerable) { project }
-      let(:vulnerable_params) { params }
-    end
-
-    it_behaves_like SecurityDashboardsPermissions do
-      let(:vulnerable) { project }
-      let(:security_dashboard_action) { get :index, params: params, format: :json }
-    end
-  end
-end

ee/spec/controllers/projects/security/vulnerability_findings_controller_spec.rb

@@ -6,8 +6,6 @@ describe Projects::Security::VulnerabilityFindingsController do
   let(:project) { create(:project) }
   let(:params) { { project_id: project, namespace_id: project.creator } }
 
-  # when new Vulnerability Findings API is enabled, this controller serves it
-
   it_behaves_like ProjectVulnerabilityFindingsActions do
     let(:vulnerable) { project }
     let(:vulnerable_params) { params }
@@ -17,23 +15,4 @@ describe Projects::Security::VulnerabilityFindingsController do
     let(:vulnerable) { project }
     let(:security_dashboard_action) { get :index, params: params, format: :json }
   end
-
-  context 'when new Vulnerability Findings API is disabled' do
-    before do
-      stub_feature_flags(first_class_vulnerabilities: false)
-    end
-
-    # new Vulnerability Findings API is disabled and we fall back to
-    # Projects::Security::VulnerabilitiesController
-
-    it_behaves_like 'ProjectVulnerabilityFindingsActions disabled' do
-      let(:vulnerable) { project }
-      let(:vulnerable_params) { params }
-    end
-
-    it_behaves_like 'SecurityDashboardsPermissions disabled' do
-      let(:vulnerable) { project }
-      let(:security_dashboard_action) { get :index, params: params, format: :json }
-    end
-  end
 end

ee/spec/helpers/ee/groups_helper_spec.rb

@@ -50,24 +50,4 @@ describe GroupsHelper do
       expect(helper.group_sidebar_links).not_to include(:contribution_analytics, :epics)
     end
   end
-
-  context 'when new Vulnerability Findings API enabled' do
-    it 'returns new "vulnerability findings" endpoint paths' do
-      expect(helper.group_vulnerabilities_endpoint_path(group)).to eq group_security_vulnerability_findings_path(group)
-      expect(helper.group_vulnerabilities_summary_endpoint_path(group)).to eq summary_group_security_vulnerability_findings_path(group)
-      expect(helper.group_vulnerabilities_history_endpoint_path(group)).to eq history_group_security_vulnerability_findings_path(group)
-    end
-  end
-
-  context 'when new Vulnerability Findings API disabled' do
-    before do
-      stub_feature_flags(first_class_vulnerabilities: false)
-    end
-
-    it 'returns legacy "vulnerabilities" endpoint paths' do
-      expect(helper.group_vulnerabilities_endpoint_path(group)).to eq group_security_vulnerabilities_path(group)
-      expect(helper.group_vulnerabilities_summary_endpoint_path(group)).to eq summary_group_security_vulnerabilities_path(group)
-      expect(helper.group_vulnerabilities_history_endpoint_path(group)).to eq history_group_security_vulnerabilities_path(group)
-    end
-  end
 end

ee/spec/helpers/projects_helper_spec.rb

@@ -133,25 +133,12 @@ describe ProjectsHelper do
         expect(subject[:has_pipeline_data]).to eq 'true'
       end
 
-      context 'when new Vulnerability Findings API enabled' do
-        it 'returns new "vulnerability findings" endpoint paths' do
-          expect(subject[:vulnerabilities_endpoint]).to eq project_security_vulnerability_findings_path(project)
-          expect(subject[:vulnerabilities_summary_endpoint]).to(
-            eq(
-              summary_project_security_vulnerability_findings_path(project)
-            ))
-        end
-      end
-
-      context 'when new Vulnerability Findings API disabled' do
-        before do
-          stub_feature_flags(first_class_vulnerabilities: false)
-        end
-
-        it 'returns legacy "vulnerabilities" endpoint paths' do
-          expect(subject[:vulnerabilities_endpoint]).to eq project_security_vulnerabilities_path(project)
-          expect(subject[:vulnerabilities_summary_endpoint]).to eq summary_project_security_vulnerabilities_path(project)
-        end
+      it 'returns the "vulnerability findings" endpoint paths' do
+        expect(subject[:vulnerabilities_endpoint]).to eq project_security_vulnerability_findings_path(project)
+        expect(subject[:vulnerabilities_summary_endpoint]).to(
+          eq(
+            summary_project_security_vulnerability_findings_path(project)
+          ))
       end
     end
   end

ee/spec/routing/group_routing_spec.rb

@@ -29,19 +29,19 @@ describe 'Group routing', "routing" do
     it 'lists vulnerabilities' do
       allow(Group).to receive(:find_by_full_path).with('gitlabhq', any_args).and_return(true)
 
-      expect(get('/groups/gitlabhq/-/security/vulnerabilities')).to route_to('groups/security/vulnerabilities#index', group_id: 'gitlabhq')
+      expect(get('/groups/gitlabhq/-/security/vulnerability_findings')).to route_to('groups/security/vulnerability_findings#index', group_id: 'gitlabhq')
     end
 
     it 'shows vulnerability summary' do
       allow(Group).to receive(:find_by_full_path).with('gitlabhq', any_args).and_return(true)
 
-      expect(get('/groups/gitlabhq/-/security/vulnerabilities/summary')).to route_to('groups/security/vulnerabilities#summary', group_id: 'gitlabhq')
+      expect(get('/groups/gitlabhq/-/security/vulnerability_findings/summary')).to route_to('groups/security/vulnerability_findings#summary', group_id: 'gitlabhq')
     end
 
     it 'shows vulnerability history' do
       allow(Group).to receive(:find_by_full_path).with('gitlabhq', any_args).and_return(true)
 
-      expect(get('/groups/gitlabhq/-/security/vulnerabilities/history')).to route_to('groups/security/vulnerabilities#history', group_id: 'gitlabhq')
+      expect(get('/groups/gitlabhq/-/security/vulnerability_findings/history')).to route_to('groups/security/vulnerability_findings#history', group_id: 'gitlabhq')
     end
   end
 

ee/spec/support/shared_examples/controllers/concerns/project_vulnerability_findings_actions_disabled_shared_examples.rb

-# frozen_string_literal: true
-
-require 'spec_helper'
-
-shared_examples 'ProjectVulnerabilityFindingsActions disabled' do
-  include ApiHelpers
-  include VulnerableHelpers
-
-  let(:action_params) { vulnerable_params }
-  let(:user) { create(:user) }
-
-  before do
-    vulnerable.add_developer(user)
-
-    sign_in(user)
-    stub_licensed_features(security_dashboard: true)
-  end
-
-  describe 'GET index.json' do
-    subject { get :index, params: action_params, format: :json }
-
-    it 'is disabled and returns "not found"' do
-      subject
-
-      expect(response).to have_gitlab_http_status(404)
-    end
-  end
-
-  describe 'GET summary.json' do
-    subject { get :summary, params: action_params, format: :json }
-
-    before do
-      subject
-    end
-
-    it 'is disabled and returns "not found"' do
-      expect(response).to have_gitlab_http_status(404)
-    end
-  end
-end

ee/spec/support/shared_examples/controllers/concerns/security_dashboards_permissions_disabled_shared_examples.rb

-# frozen_string_literal: true
-
-require 'spec_helper'
-
-shared_examples 'SecurityDashboardsPermissions disabled' do
-  include ApiHelpers
-
-  let(:security_dashboard_user) { create(:user) }
-
-  before do
-    sign_in(security_dashboard_user)
-  end
-
-  describe 'access for all actions' do
-    context 'when security dashboard feature is enabled' do
-      it 'returns 404' do
-        stub_licensed_features(security_dashboard: true)
-
-        security_dashboard_action
-
-        expect(response).to have_gitlab_http_status(404)
-      end
-    end
-  end
-end

ee/spec/support/shared_examples/controllers/groups/security/vulnerabilities_controller_disabled_shared_examples.rb

-# frozen_string_literal: true
-
-shared_examples 'disabled group vulnerability findings controller' do
-  describe 'GET index.json' do
-    it 'is disabled and returns "not found" response' do
-      get :index, params: { group_id: group }, format: :json
-
-      expect(response).to have_gitlab_http_status(404)
-    end
-  end
-
-  describe 'GET history.json' do
-    it 'is disabled and returns "not found" response' do
-      get :history, params: { group_id: group }, format: :json
-
-      expect(response).to have_gitlab_http_status(404)
-    end
-  end
-end

ee/spec/support/shared_examples/controllers/groups/security/vulnerabilities_controller_shared_examples.rb

-# frozen_string_literal: true
-
-shared_examples 'group vulnerability findings controller' do
-  before do
-    sign_in(user)
-    stub_licensed_features(security_dashboard: true)
-    group.add_developer(user)
-  end
-
-  describe 'GET index.json' do
-    it 'returns vulnerabilities for all projects in the group' do
-      # create projects for the group
-      2.times do
-        project = create(:project, namespace: group)
-        pipeline = create(:ci_pipeline, :success, project: project)
-
-        create(:vulnerabilities_occurrence, pipelines: [pipeline], project: project, severity: :high)
-      end
-
-      # create an ungrouped project to ensure we don't include it
-      project = create(:project)
-      pipeline = create(:ci_pipeline, :success, project: project)
-      create(:vulnerabilities_occurrence, pipelines: [pipeline], project: project, severity: :high)
-
-      get :index, params: { group_id: group }, format: :json
-
-      expect(json_response.count).to be(2)
-    end
-  end
-
-  describe 'GET history.json' do
-    let(:params) { { group_id: group } }
-    let(:project) { create(:project, namespace: group) }
-    let(:pipeline) { create(:ci_pipeline, :success, project: project) }
-
-    subject { get :history, params: params, format: :json }
-
-    before do
-      travel_to(Time.zone.parse('2018-11-10')) do
-        create(:vulnerabilities_occurrence,
-                pipelines: [pipeline],
-                project: project,
-                report_type: :sast,
-                severity: :critical)
-
-        create(:vulnerabilities_occurrence,
-                pipelines: [pipeline],
-                project: project,
-                report_type: :dependency_scanning,
-                severity: :low)
-      end
-
-      travel_to(Time.zone.parse('2018-11-12')) do
-        create(:vulnerabilities_occurrence,
-                pipelines: [pipeline],
-                project: project,
-                report_type: :sast,
-                severity: :critical)
-
-        create(:vulnerabilities_occurrence,
-                pipelines: [pipeline],
-                project: project,
-                report_type: :dependency_scanning,
-                severity: :low)
-      end
-    end
-
-    it 'returns vulnerability history within last 90 days' do
-      travel_to(Time.zone.parse('2019-02-11')) do
-        subject
-      end
-
-      expect(response).to have_gitlab_http_status(200)
-      expect(json_response['total']).to eq({ '2018-11-12' => 2 })
-      expect(json_response['critical']).to eq({ '2018-11-12' => 1 })
-      expect(json_response['low']).to eq({ '2018-11-12' => 1 })
-      expect(response).to match_response_schema('vulnerabilities/history', dir: 'ee')
-    end
-
-    it 'returns empty history if there are no vulnerabilities within last 90 days' do
-      travel_to(Time.zone.parse('2019-02-13')) do
-        subject
-      end
-
-      expect(json_response).to eq({
-        "undefined" => {},
-        "info" => {},
-        "unknown" => {},
-        "low" => {},
-        "medium" => {},
-        "high" => {},
-        "critical" => {},
-        "total" => {}
-      })
-    end
-
-    context 'with a report type filter' do
-      let(:params) { { group_id: group, report_type: %w[sast] } }
-
-      before do
-        travel_to(Time.zone.parse('2019-02-11')) do
-          subject
-        end
-      end
-
-      it 'returns filtered history if filters are enabled' do
-        expect(json_response['total']).to eq({ '2018-11-12' => 1 })
-        expect(json_response['critical']).to eq({ '2018-11-12' => 1 })
-        expect(json_response['low']).to eq({})
-      end
-    end
-  end
-end