Commit 7aa7bdd2 authored by Mayra Cabrera's avatar Mayra Cabrera

Merge branch 'remove-legacy-group-vuln-routes' into 'master'

Remove legacy vulnerability findings endpoints

See merge request gitlab-org/gitlab!21585
parents df1f8cbb 2c9e783a
# frozen_string_literal: true
# TODO: remove this module and its usages when :first_class_vulnerabilities feature flag is removed
# https://gitlab.com/gitlab-org/gitlab/issues/33488
module VulnerabilitiesApiFeatureGate
extend ActiveSupport::Concern
included do
before_action :verify_vulnerabilities_action_enabled!
def verify_vulnerabilities_action_enabled!
access_denied! unless vulnerabilities_action_enabled?
end
def vulnerabilities_action_enabled?
raise NotImplementedError('Must be implemented in the including controller class')
end
end
end
# frozen_string_literal: true
class Groups::Security::VulnerabilitiesController < Groups::ApplicationController
include VulnerabilitiesApiFeatureGate # must come first
include SecurityDashboardsPermissions
include ProjectCollectionVulnerabilityFindingsActions
alias_method :vulnerable, :group
private
# See the table below to understand the relation between first_class_vulnerabilities feature state and
# Group Security Dashboard controller being used:
#
# | first_class_vulnerabilities | controller to use |
# |---------------------------- | ------------------------------------- |
# | enabled | groups/security/vulnerability_findings |
# | disabled | groups/security/vulnerabilities |
#
# The reason is that when first_class_vulnerabilities is enabled, Vulnerabilities name is reserved for
# Standalone Vulnerabilities https://gitlab.com/gitlab-org/gitlab/issues/13561, and the entity that
# was previously returned by Vulnerabilities-named endpoints get the name of Vulnerability Findings.
# See also: https://gitlab.com/gitlab-org/gitlab/merge_requests/19029
def vulnerabilities_action_enabled?
Feature.disabled?(:first_class_vulnerabilities)
end
end
# frozen_string_literal: true # frozen_string_literal: true
class Groups::Security::VulnerabilityFindingsController < Groups::ApplicationController class Groups::Security::VulnerabilityFindingsController < Groups::ApplicationController
include VulnerabilitiesApiFeatureGate # must come first
include SecurityDashboardsPermissions include SecurityDashboardsPermissions
include ProjectCollectionVulnerabilityFindingsActions include ProjectCollectionVulnerabilityFindingsActions
alias_method :vulnerable, :group alias_method :vulnerable, :group
private
# See the table below to understand the relation between first_class_vulnerabilities feature state and
# Group Security Dashboard controller being used:
#
# | first_class_vulnerabilities | controller to use |
# |---------------------------- | ------------------------------------- |
# | enabled | groups/security/vulnerability_findings |
# | disabled | groups/security/vulnerabilities |
#
# The reason is that when first_class_vulnerabilities is enabled, Vulnerabilities name is reserved for
# Standalone Vulnerabilities https://gitlab.com/gitlab-org/gitlab/issues/13561, and the entity that
# was previously returned by Vulnerabilities-named endpoints get the name of Vulnerability Findings.
# See also: https://gitlab.com/gitlab-org/gitlab/merge_requests/19029
def vulnerabilities_action_enabled?
Feature.enabled?(:first_class_vulnerabilities)
end
end end
# frozen_string_literal: true
class Projects::Security::VulnerabilitiesController < Projects::ApplicationController
include VulnerabilitiesApiFeatureGate # must come first
include SecurityDashboardsPermissions
include ProjectVulnerabilityFindingsActions
alias_method :vulnerable, :project
private
# See the table below to understand the relation between first_class_vulnerabilities feature state and
# Group Security Dashboard controller being used:
#
# | first_class_vulnerabilities | controller to use |
# |---------------------------- | ---------------------------------------- |
# | enabled | projects/security/vulnerability_findings |
# | disabled | projects/security/vulnerabilities |
#
# The reason is that when first_class_vulnerabilities is enabled, Vulnerabilities name is reserved for
# Standalone Vulnerabilities https://gitlab.com/gitlab-org/gitlab/issues/13561, and the entity that
# was previously returned by Vulnerabilities-named endpoints get the name of Vulnerability Findings.
# See also: https://gitlab.com/gitlab-org/gitlab/merge_requests/19029
def vulnerabilities_action_enabled?
Feature.disabled?(:first_class_vulnerabilities)
end
end
# frozen_string_literal: true # frozen_string_literal: true
class Projects::Security::VulnerabilityFindingsController < Projects::ApplicationController class Projects::Security::VulnerabilityFindingsController < Projects::ApplicationController
include VulnerabilitiesApiFeatureGate # must come first
include SecurityDashboardsPermissions include SecurityDashboardsPermissions
include ProjectVulnerabilityFindingsActions include ProjectVulnerabilityFindingsActions
alias_method :vulnerable, :project alias_method :vulnerable, :project
private
# See the table below to understand the relation between first_class_vulnerabilities feature state and
# Group Security Dashboard controller being used:
#
# | first_class_vulnerabilities | controller to use |
# |---------------------------- | ---------------------------------------- |
# | enabled | projects/security/vulnerability_findings |
# | disabled | projects/security/vulnerabilities |
#
# The reason is that when first_class_vulnerabilities is enabled, Vulnerabilities name is reserved for
# Standalone Vulnerabilities https://gitlab.com/gitlab-org/gitlab/issues/13561, and the entity that
# was previously returned by Vulnerabilities-named endpoints get the name of Vulnerability Findings.
# See also: https://gitlab.com/gitlab-org/gitlab/merge_requests/19029
def vulnerabilities_action_enabled?
Feature.enabled?(:first_class_vulnerabilities)
end
end end
...@@ -60,33 +60,6 @@ module EE ...@@ -60,33 +60,6 @@ module EE
{ group_id: group } { group_id: group }
end end
def group_vulnerabilities_endpoint_path(group)
params = group_path_params(group)
if ::Feature.enabled?(:first_class_vulnerabilities)
group_security_vulnerability_findings_path(params)
else
group_security_vulnerabilities_path(params)
end
end
def group_vulnerabilities_summary_endpoint_path(group)
params = group_path_params(group)
if ::Feature.enabled?(:first_class_vulnerabilities)
summary_group_security_vulnerability_findings_path(params)
else
summary_group_security_vulnerabilities_path(params)
end
end
def group_vulnerabilities_history_endpoint_path(group)
params = group_path_params(group)
if ::Feature.enabled?(:first_class_vulnerabilities)
history_group_security_vulnerability_findings_path(params)
else
history_group_security_vulnerabilities_path(params)
end
end
private private
def get_group_sidebar_links def get_group_sidebar_links
......
...@@ -201,8 +201,8 @@ module EE ...@@ -201,8 +201,8 @@ module EE
else else
{ {
project: { id: project.id, name: project.name }, project: { id: project.id, name: project.name },
vulnerabilities_endpoint: project_vulnerabilities_endpoint_path(project), vulnerabilities_endpoint: project_security_vulnerability_findings_path(project),
vulnerabilities_summary_endpoint: project_vulnerabilities_summary_endpoint_path(project), vulnerabilities_summary_endpoint: summary_project_security_vulnerability_findings_path(project),
vulnerability_feedback_help_path: help_page_path("user/application_security/index", anchor: "interacting-with-the-vulnerabilities"), vulnerability_feedback_help_path: help_page_path("user/application_security/index", anchor: "interacting-with-the-vulnerabilities"),
empty_state_svg_path: image_path('illustrations/security-dashboard-empty-state.svg'), empty_state_svg_path: image_path('illustrations/security-dashboard-empty-state.svg'),
dashboard_documentation: help_page_path('user/application_security/security_dashboard/index'), dashboard_documentation: help_page_path('user/application_security/security_dashboard/index'),
...@@ -222,22 +222,6 @@ module EE ...@@ -222,22 +222,6 @@ module EE
end end
end end
def project_vulnerabilities_endpoint_path(project)
if ::Feature.enabled?(:first_class_vulnerabilities)
project_security_vulnerability_findings_path(project)
else
project_security_vulnerabilities_path(project)
end
end
def project_vulnerabilities_summary_endpoint_path(project)
if ::Feature.enabled?(:first_class_vulnerabilities)
summary_project_security_vulnerability_findings_path(project)
else
summary_project_security_vulnerabilities_path(project)
end
end
def can_create_feedback?(project, feedback_type) def can_create_feedback?(project, feedback_type)
feedback = Vulnerabilities::Feedback.new(project: project, feedback_type: feedback_type) feedback = Vulnerabilities::Feedback.new(project: project, feedback_type: feedback_type)
can?(current_user, :create_vulnerability_feedback, feedback) can?(current_user, :create_vulnerability_feedback, feedback)
......
- breadcrumb_title _("Security Dashboard") - breadcrumb_title _("Security Dashboard")
- page_title _("Security Dashboard") - page_title _("Security Dashboard")
#js-group-security-dashboard{ data: { vulnerabilities_endpoint: group_vulnerabilities_endpoint_path(@group), #js-group-security-dashboard{ data: { vulnerabilities_endpoint: group_security_vulnerability_findings_path(@group),
vulnerabilities_summary_endpoint: group_vulnerabilities_summary_endpoint_path(@group), vulnerabilities_summary_endpoint: summary_group_security_vulnerability_findings_path(@group),
vulnerabilities_history_endpoint: group_vulnerabilities_history_endpoint_path(@group), vulnerabilities_history_endpoint: history_group_security_vulnerability_findings_path(@group),
projects_endpoint: expose_url(api_v4_groups_projects_path(id: @group.id)), projects_endpoint: expose_url(api_v4_groups_projects_path(id: @group.id)),
vulnerability_feedback_help_path: help_page_path("user/application_security/index", anchor: "interacting-with-the-vulnerabilities"), vulnerability_feedback_help_path: help_page_path("user/application_security/index", anchor: "interacting-with-the-vulnerabilities"),
empty_state_svg_path: image_path('illustrations/security-dashboard-empty-state.svg'), empty_state_svg_path: image_path('illustrations/security-dashboard-empty-state.svg'),
......
...@@ -112,17 +112,7 @@ constraints(::Constraints::GroupUrlConstrainer.new) do ...@@ -112,17 +112,7 @@ constraints(::Constraints::GroupUrlConstrainer.new) do
namespace :security do namespace :security do
resource :dashboard, only: [:show], controller: :dashboard resource :dashboard, only: [:show], controller: :dashboard
resources :vulnerable_projects, only: [:index] resources :vulnerable_projects, only: [:index]
# We have to define both legacy and new routes for Vulnerability Findings
# because they are loaded upon application initialization and preloaded by
# web server.
# TODO: remove this comment and `resources :vulnerabilities` when feature flag is removed
# see https://gitlab.com/gitlab-org/gitlab/issues/33488
resources :vulnerabilities, only: [:index] do
collection do
get :summary
get :history
end
end
resources :vulnerability_findings, only: [:index] do resources :vulnerability_findings, only: [:index] do
collection do collection do
get :summary get :summary
......
...@@ -170,16 +170,6 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do ...@@ -170,16 +170,6 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
resource :dashboard, only: [:show], controller: :dashboard resource :dashboard, only: [:show], controller: :dashboard
resource :configuration, only: [:show], controller: :configuration resource :configuration, only: [:show], controller: :configuration
# We have to define both legacy and new routes for Vulnerability Findings
# because they are loaded upon application initialization and preloaded by
# web server.
# TODO: remove this comment and `resources :vulnerabilities` when applicable
# see https://gitlab.com/gitlab-org/gitlab/issues/33488
resources :vulnerabilities, only: [:index] do
collection do
get :summary
end
end
resources :vulnerability_findings, only: [:index] do resources :vulnerability_findings, only: [:index] do
collection do collection do
get :summary get :summary
......
# frozen_string_literal: true
require 'spec_helper'
describe Groups::Security::VulnerabilitiesController do
let(:group) { create(:group) }
let(:params) { { group_id: group } }
let(:user) { create(:user) }
# when new Vulnerability Findings API is enabled this controller is not,
# its actions are "moved" Groups::Security::VulnerabilityFindingsController
it_behaves_like 'ProjectVulnerabilityFindingsActions disabled' do
let(:vulnerable) { group }
let(:vulnerable_params) { params }
end
it_behaves_like 'SecurityDashboardsPermissions disabled' do
let(:vulnerable) { group }
let(:security_dashboard_action) { get :index, params: params, format: :json }
end
it_behaves_like 'disabled group vulnerability findings controller'
context 'when new Vulnerability Findings API is disabled' do
before do
stub_feature_flags(first_class_vulnerabilities: false)
end
# when new Vulnerability Findings API is disabled, we fall back to this controller
it_behaves_like ProjectVulnerabilityFindingsActions do
let(:vulnerable) { group }
let(:vulnerable_params) { params }
end
it_behaves_like SecurityDashboardsPermissions do
let(:vulnerable) { group }
let(:security_dashboard_action) { get :index, params: params, format: :json }
end
it_behaves_like 'group vulnerability findings controller'
end
end
...@@ -7,8 +7,6 @@ describe Groups::Security::VulnerabilityFindingsController do ...@@ -7,8 +7,6 @@ describe Groups::Security::VulnerabilityFindingsController do
let(:params) { { group_id: group } } let(:params) { { group_id: group } }
let(:user) { create(:user) } let(:user) { create(:user) }
# when new Vulnerability Findings API is enabled, this controller is enabled as well
it_behaves_like ProjectVulnerabilityFindingsActions do it_behaves_like ProjectVulnerabilityFindingsActions do
let(:vulnerable) { group } let(:vulnerable) { group }
let(:vulnerable_params) { params } let(:vulnerable_params) { params }
...@@ -19,26 +17,117 @@ describe Groups::Security::VulnerabilityFindingsController do ...@@ -19,26 +17,117 @@ describe Groups::Security::VulnerabilityFindingsController do
let(:security_dashboard_action) { get :index, params: params, format: :json } let(:security_dashboard_action) { get :index, params: params, format: :json }
end end
it_behaves_like 'group vulnerability findings controller' describe 'GET index.json' do
before do
sign_in(user)
stub_licensed_features(security_dashboard: true)
group.add_developer(user)
end
it 'returns vulnerabilities for all projects in the group' do
# create projects for the group
2.times do
project = create(:project, namespace: group)
pipeline = create(:ci_pipeline, :success, project: project)
create(:vulnerabilities_occurrence, pipelines: [pipeline], project: project, severity: :high)
end
# create an ungrouped project to ensure we don't include it
project = create(:project)
pipeline = create(:ci_pipeline, :success, project: project)
create(:vulnerabilities_occurrence, pipelines: [pipeline], project: project, severity: :high)
get :index, params: { group_id: group }, format: :json
expect(json_response.count).to be(2)
end
end
describe 'GET history.json' do
let(:params) { { group_id: group } }
let(:project) { create(:project, namespace: group) }
let(:pipeline) { create(:ci_pipeline, :success, project: project) }
context 'when new Vulnerability Findings API is disabled' do
before do before do
stub_feature_flags(first_class_vulnerabilities: false) sign_in(user)
stub_licensed_features(security_dashboard: true)
group.add_developer(user)
travel_to(Time.zone.parse('2018-11-10')) do
create(:vulnerabilities_occurrence,
pipelines: [pipeline],
project: project,
report_type: :sast,
severity: :critical)
create(:vulnerabilities_occurrence,
pipelines: [pipeline],
project: project,
report_type: :dependency_scanning,
severity: :low)
end
travel_to(Time.zone.parse('2018-11-12')) do
create(:vulnerabilities_occurrence,
pipelines: [pipeline],
project: project,
report_type: :sast,
severity: :critical)
create(:vulnerabilities_occurrence,
pipelines: [pipeline],
project: project,
report_type: :dependency_scanning,
severity: :low)
end
end end
# when new Vulnerability Findings API is disabled, this controller is disabled as well subject { get :history, params: params, format: :json }
# and its actions are "moved" to Groups::Security::VulnerabilitiesController
it_behaves_like 'ProjectVulnerabilityFindingsActions disabled' do it 'returns vulnerability history within last 90 days' do
let(:vulnerable) { group } travel_to(Time.zone.parse('2019-02-11')) do
let(:vulnerable_params) { params } subject
end
expect(response).to have_gitlab_http_status(200)
expect(json_response['total']).to eq({ '2018-11-12' => 2 })
expect(json_response['critical']).to eq({ '2018-11-12' => 1 })
expect(json_response['low']).to eq({ '2018-11-12' => 1 })
expect(response).to match_response_schema('vulnerabilities/history', dir: 'ee')
end end
it_behaves_like 'SecurityDashboardsPermissions disabled' do it 'returns empty history if there are no vulnerabilities within last 90 days' do
let(:vulnerable) { group } travel_to(Time.zone.parse('2019-02-13')) do
let(:security_dashboard_action) { get :index, params: params, format: :json } subject
end
expect(json_response).to eq({
"undefined" => {},
"info" => {},
"unknown" => {},
"low" => {},
"medium" => {},
"high" => {},
"critical" => {},
"total" => {}
})
end end
it_behaves_like 'disabled group vulnerability findings controller' context 'with a report type filter' do
let(:params) { { group_id: group, report_type: %w[sast] } }
before do
travel_to(Time.zone.parse('2019-02-11')) do
subject
end
end
it 'returns filtered history if filters are enabled' do
expect(json_response['total']).to eq({ '2018-11-12' => 1 })
expect(json_response['critical']).to eq({ '2018-11-12' => 1 })
expect(json_response['low']).to eq({})
end
end
end end
end end
# frozen_string_literal: true
require 'spec_helper'
describe Projects::Security::VulnerabilitiesController do
let(:project) { create(:project) }
let(:params) { { project_id: project, namespace_id: project.creator } }
# when new Vulnerability Findings API is enabled, this controller is not
# and its actions are "moved" to Projects::Security::VulnerabilityFindingsController
it_behaves_like 'ProjectVulnerabilityFindingsActions disabled' do
let(:vulnerable) { project }
let(:vulnerable_params) { params }
end
it_behaves_like 'SecurityDashboardsPermissions disabled' do
let(:vulnerable) { project }
let(:security_dashboard_action) { get :index, params: params, format: :json }
end
context 'when new Vulnerability Findings API is disabled' do
before do
stub_feature_flags(first_class_vulnerabilities: false)
end
# when new Vulnerability Findings API is disabled, we fall back to this controller
it_behaves_like ProjectVulnerabilityFindingsActions do
let(:vulnerable) { project }
let(:vulnerable_params) { params }
end
it_behaves_like SecurityDashboardsPermissions do
let(:vulnerable) { project }
let(:security_dashboard_action) { get :index, params: params, format: :json }
end
end
end
...@@ -6,8 +6,6 @@ describe Projects::Security::VulnerabilityFindingsController do ...@@ -6,8 +6,6 @@ describe Projects::Security::VulnerabilityFindingsController do
let(:project) { create(:project) } let(:project) { create(:project) }
let(:params) { { project_id: project, namespace_id: project.creator } } let(:params) { { project_id: project, namespace_id: project.creator } }
# when new Vulnerability Findings API is enabled, this controller serves it
it_behaves_like ProjectVulnerabilityFindingsActions do it_behaves_like ProjectVulnerabilityFindingsActions do
let(:vulnerable) { project } let(:vulnerable) { project }
let(:vulnerable_params) { params } let(:vulnerable_params) { params }
...@@ -17,23 +15,4 @@ describe Projects::Security::VulnerabilityFindingsController do ...@@ -17,23 +15,4 @@ describe Projects::Security::VulnerabilityFindingsController do
let(:vulnerable) { project } let(:vulnerable) { project }
let(:security_dashboard_action) { get :index, params: params, format: :json } let(:security_dashboard_action) { get :index, params: params, format: :json }
end end
context 'when new Vulnerability Findings API is disabled' do
before do
stub_feature_flags(first_class_vulnerabilities: false)
end
# new Vulnerability Findings API is disabled and we fall back to
# Projects::Security::VulnerabilitiesController
it_behaves_like 'ProjectVulnerabilityFindingsActions disabled' do
let(:vulnerable) { project }
let(:vulnerable_params) { params }
end
it_behaves_like 'SecurityDashboardsPermissions disabled' do
let(:vulnerable) { project }
let(:security_dashboard_action) { get :index, params: params, format: :json }
end
end
end end
...@@ -50,24 +50,4 @@ describe GroupsHelper do ...@@ -50,24 +50,4 @@ describe GroupsHelper do
expect(helper.group_sidebar_links).not_to include(:contribution_analytics, :epics) expect(helper.group_sidebar_links).not_to include(:contribution_analytics, :epics)
end end
end end
context 'when new Vulnerability Findings API enabled' do
it 'returns new "vulnerability findings" endpoint paths' do
expect(helper.group_vulnerabilities_endpoint_path(group)).to eq group_security_vulnerability_findings_path(group)
expect(helper.group_vulnerabilities_summary_endpoint_path(group)).to eq summary_group_security_vulnerability_findings_path(group)
expect(helper.group_vulnerabilities_history_endpoint_path(group)).to eq history_group_security_vulnerability_findings_path(group)
end
end
context 'when new Vulnerability Findings API disabled' do
before do
stub_feature_flags(first_class_vulnerabilities: false)
end
it 'returns legacy "vulnerabilities" endpoint paths' do
expect(helper.group_vulnerabilities_endpoint_path(group)).to eq group_security_vulnerabilities_path(group)
expect(helper.group_vulnerabilities_summary_endpoint_path(group)).to eq summary_group_security_vulnerabilities_path(group)
expect(helper.group_vulnerabilities_history_endpoint_path(group)).to eq history_group_security_vulnerabilities_path(group)
end
end
end end
...@@ -133,25 +133,12 @@ describe ProjectsHelper do ...@@ -133,25 +133,12 @@ describe ProjectsHelper do
expect(subject[:has_pipeline_data]).to eq 'true' expect(subject[:has_pipeline_data]).to eq 'true'
end end
context 'when new Vulnerability Findings API enabled' do it 'returns the "vulnerability findings" endpoint paths' do
it 'returns new "vulnerability findings" endpoint paths' do expect(subject[:vulnerabilities_endpoint]).to eq project_security_vulnerability_findings_path(project)
expect(subject[:vulnerabilities_endpoint]).to eq project_security_vulnerability_findings_path(project) expect(subject[:vulnerabilities_summary_endpoint]).to(
expect(subject[:vulnerabilities_summary_endpoint]).to( eq(
eq( summary_project_security_vulnerability_findings_path(project)
summary_project_security_vulnerability_findings_path(project) ))
))
end
end
context 'when new Vulnerability Findings API disabled' do
before do
stub_feature_flags(first_class_vulnerabilities: false)
end
it 'returns legacy "vulnerabilities" endpoint paths' do
expect(subject[:vulnerabilities_endpoint]).to eq project_security_vulnerabilities_path(project)
expect(subject[:vulnerabilities_summary_endpoint]).to eq summary_project_security_vulnerabilities_path(project)
end
end end
end end
end end
......
...@@ -29,19 +29,19 @@ describe 'Group routing', "routing" do ...@@ -29,19 +29,19 @@ describe 'Group routing', "routing" do
it 'lists vulnerabilities' do it 'lists vulnerabilities' do
allow(Group).to receive(:find_by_full_path).with('gitlabhq', any_args).and_return(true) allow(Group).to receive(:find_by_full_path).with('gitlabhq', any_args).and_return(true)
expect(get('/groups/gitlabhq/-/security/vulnerabilities')).to route_to('groups/security/vulnerabilities#index', group_id: 'gitlabhq') expect(get('/groups/gitlabhq/-/security/vulnerability_findings')).to route_to('groups/security/vulnerability_findings#index', group_id: 'gitlabhq')
end end
it 'shows vulnerability summary' do it 'shows vulnerability summary' do
allow(Group).to receive(:find_by_full_path).with('gitlabhq', any_args).and_return(true) allow(Group).to receive(:find_by_full_path).with('gitlabhq', any_args).and_return(true)
expect(get('/groups/gitlabhq/-/security/vulnerabilities/summary')).to route_to('groups/security/vulnerabilities#summary', group_id: 'gitlabhq') expect(get('/groups/gitlabhq/-/security/vulnerability_findings/summary')).to route_to('groups/security/vulnerability_findings#summary', group_id: 'gitlabhq')
end end
it 'shows vulnerability history' do it 'shows vulnerability history' do
allow(Group).to receive(:find_by_full_path).with('gitlabhq', any_args).and_return(true) allow(Group).to receive(:find_by_full_path).with('gitlabhq', any_args).and_return(true)
expect(get('/groups/gitlabhq/-/security/vulnerabilities/history')).to route_to('groups/security/vulnerabilities#history', group_id: 'gitlabhq') expect(get('/groups/gitlabhq/-/security/vulnerability_findings/history')).to route_to('groups/security/vulnerability_findings#history', group_id: 'gitlabhq')
end end
end end
......
# frozen_string_literal: true
require 'spec_helper'
shared_examples 'ProjectVulnerabilityFindingsActions disabled' do
include ApiHelpers
include VulnerableHelpers
let(:action_params) { vulnerable_params }
let(:user) { create(:user) }
before do
vulnerable.add_developer(user)
sign_in(user)
stub_licensed_features(security_dashboard: true)
end
describe 'GET index.json' do
subject { get :index, params: action_params, format: :json }
it 'is disabled and returns "not found"' do
subject
expect(response).to have_gitlab_http_status(404)
end
end
describe 'GET summary.json' do
subject { get :summary, params: action_params, format: :json }
before do
subject
end
it 'is disabled and returns "not found"' do
expect(response).to have_gitlab_http_status(404)
end
end
end
# frozen_string_literal: true
require 'spec_helper'
shared_examples 'SecurityDashboardsPermissions disabled' do
include ApiHelpers
let(:security_dashboard_user) { create(:user) }
before do
sign_in(security_dashboard_user)
end
describe 'access for all actions' do
context 'when security dashboard feature is enabled' do
it 'returns 404' do
stub_licensed_features(security_dashboard: true)
security_dashboard_action
expect(response).to have_gitlab_http_status(404)
end
end
end
end
# frozen_string_literal: true
shared_examples 'disabled group vulnerability findings controller' do
describe 'GET index.json' do
it 'is disabled and returns "not found" response' do
get :index, params: { group_id: group }, format: :json
expect(response).to have_gitlab_http_status(404)
end
end
describe 'GET history.json' do
it 'is disabled and returns "not found" response' do
get :history, params: { group_id: group }, format: :json
expect(response).to have_gitlab_http_status(404)
end
end
end
# frozen_string_literal: true
shared_examples 'group vulnerability findings controller' do
before do
sign_in(user)
stub_licensed_features(security_dashboard: true)
group.add_developer(user)
end
describe 'GET index.json' do
it 'returns vulnerabilities for all projects in the group' do
# create projects for the group
2.times do
project = create(:project, namespace: group)
pipeline = create(:ci_pipeline, :success, project: project)
create(:vulnerabilities_occurrence, pipelines: [pipeline], project: project, severity: :high)
end
# create an ungrouped project to ensure we don't include it
project = create(:project)
pipeline = create(:ci_pipeline, :success, project: project)
create(:vulnerabilities_occurrence, pipelines: [pipeline], project: project, severity: :high)
get :index, params: { group_id: group }, format: :json
expect(json_response.count).to be(2)
end
end
describe 'GET history.json' do
let(:params) { { group_id: group } }
let(:project) { create(:project, namespace: group) }
let(:pipeline) { create(:ci_pipeline, :success, project: project) }
subject { get :history, params: params, format: :json }
before do
travel_to(Time.zone.parse('2018-11-10')) do
create(:vulnerabilities_occurrence,
pipelines: [pipeline],
project: project,
report_type: :sast,
severity: :critical)
create(:vulnerabilities_occurrence,
pipelines: [pipeline],
project: project,
report_type: :dependency_scanning,
severity: :low)
end
travel_to(Time.zone.parse('2018-11-12')) do
create(:vulnerabilities_occurrence,
pipelines: [pipeline],
project: project,
report_type: :sast,
severity: :critical)
create(:vulnerabilities_occurrence,
pipelines: [pipeline],
project: project,
report_type: :dependency_scanning,
severity: :low)
end
end
it 'returns vulnerability history within last 90 days' do
travel_to(Time.zone.parse('2019-02-11')) do
subject
end
expect(response).to have_gitlab_http_status(200)
expect(json_response['total']).to eq({ '2018-11-12' => 2 })
expect(json_response['critical']).to eq({ '2018-11-12' => 1 })
expect(json_response['low']).to eq({ '2018-11-12' => 1 })
expect(response).to match_response_schema('vulnerabilities/history', dir: 'ee')
end
it 'returns empty history if there are no vulnerabilities within last 90 days' do
travel_to(Time.zone.parse('2019-02-13')) do
subject
end
expect(json_response).to eq({
"undefined" => {},
"info" => {},
"unknown" => {},
"low" => {},
"medium" => {},
"high" => {},
"critical" => {},
"total" => {}
})
end
context 'with a report type filter' do
let(:params) { { group_id: group, report_type: %w[sast] } }
before do
travel_to(Time.zone.parse('2019-02-11')) do
subject
end
end
it 'returns filtered history if filters are enabled' do
expect(json_response['total']).to eq({ '2018-11-12' => 1 })
expect(json_response['critical']).to eq({ '2018-11-12' => 1 })
expect(json_response['low']).to eq({})
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment