Commit 828daf10 authored by Subashis's avatar Subashis

Expose dismissal reason and dismissal descriptions

- Make translations dynamic for dismissal descriptions
- Extend helper to return dismissal feedback
- Expose dismissal_reason and dismissal_descriptions in feedback entity
- Update spec factory to accomodate dismissal reason
- Update graphql doc
- Add newly externalized strings
- Add change log
parent c956d96f
......@@ -8093,11 +8093,11 @@ The dismissal reason of the Vulnerability.
| Value | Description |
| ----- | ----------- |
| `ACCEPTABLE_RISK` | The likelihood of the Vulnerability occurring and its impact are deemed acceptable |
| `FALSE_POSITIVE` | The Vulnerability was incorrectly identified as being present |
| `MITIGATING_CONTROL` | There is a mitigating control that eliminates the Vulnerability or makes its risk acceptable |
| `NOT_APPLICABLE` | Other reasons for dismissal |
| `USED_IN_TESTS` | The Vulnerability is used in tests and does not pose an actual risk |
| `ACCEPTABLE_RISK` | The vulnerability is known, and has not been remediated or mitigated, but is considered to be an acceptable business risk. |
| `FALSE_POSITIVE` | An error in reporting in which a test result incorrectly indicates the presence of a vulnerability in a system when the vulnerability is not present. |
| `MITIGATING_CONTROL` | A management, operational, or technical control (that is, safeguard or countermeasure) employed by an organization that provides equivalent or comparable protection for an information system. |
| `NOT_APPLICABLE` | The vulnerability is known, and has not been remediated or mitigated, but is considered to be in a part of the application that will not be updated. |
| `USED_IN_TESTS` | The finding is not a vulnerability because it is part of a test or is test data. |
### `VulnerabilityExternalIssueLinkExternalTracker`
......
......@@ -9,11 +9,11 @@ module Vulnerabilities
description 'The dismissal reason of the Vulnerability'
define do
acceptable_risk value: 0, description: 'The likelihood of the Vulnerability occurring and its impact are deemed acceptable'
false_positive value: 1, description: 'The Vulnerability was incorrectly identified as being present'
mitigating_control value: 2, description: 'There is a mitigating control that eliminates the Vulnerability or makes its risk acceptable'
used_in_tests value: 3, description: 'The Vulnerability is used in tests and does not pose an actual risk'
not_applicable value: 4, description: 'Other reasons for dismissal'
acceptable_risk value: 0, description: _('The vulnerability is known, and has not been remediated or mitigated, but is considered to be an acceptable business risk.')
false_positive value: 1, description: _('An error in reporting in which a test result incorrectly indicates the presence of a vulnerability in a system when the vulnerability is not present.')
mitigating_control value: 2, description: _('A management, operational, or technical control (that is, safeguard or countermeasure) employed by an organization that provides equivalent or comparable protection for an information system.')
used_in_tests value: 3, description: _('The finding is not a vulnerability because it is part of a test or is test data.')
not_applicable value: 4, description: _('The vulnerability is known, and has not been remediated or mitigated, but is considered to be in a part of the application that will not be updated.')
end
end
end
# frozen_string_literal: true
module VulnerabilitiesHelper
FINDING_FIELDS = %i[metadata identifiers name issue_feedback merge_request_feedback project project_fingerprint scanner uuid details].freeze
FINDING_FIELDS = %i[metadata identifiers name issue_feedback merge_request_feedback project project_fingerprint scanner uuid details dismissal_feedback].freeze
def vulnerability_details_json(vulnerability, pipeline)
vulnerability_details(vulnerability, pipeline).to_json
......
......@@ -49,6 +49,11 @@ class Vulnerabilities::FeedbackEntity < Grape::Entity
end
expose :project_fingerprint
expose :dismissal_reason
expose :dismissal_descriptions do |feedback|
Vulnerabilities::DismissalReasonEnum.definition.transform_values { |v| v[:description] }
end
alias_method :feedback, :object
private
......
---
title: Expose dismissal reason and dismissal descriptions in Vulnerability details
view
merge_request: 55525
author:
type: added
......@@ -20,6 +20,7 @@ FactoryBot.define do
trait :dismissal do
feedback_type { 'dismissal' }
dismissal_reason { 'acceptable_risk' }
end
trait :comment do
......
......@@ -37,7 +37,11 @@
"project_fingerprint": { "type": "string" },
"branch": { "type": ["string", "null"] },
"destroy_vulnerability_feedback_dismissal_path": { "type": "string" },
"finding_uuid": { "type": ["string", "null"] }
"finding_uuid": { "type": ["string", "null"] },
"dismissal_reason": { "type": ["string", "null"] },
"dismissal_descriptions": {
"type": {"string": "string"}
}
},
"additionalProperties": false
}
......@@ -4,9 +4,9 @@ require 'spec_helper'
RSpec.describe VulnerabilitiesHelper do
let_it_be(:user) { create(:user) }
let(:project) { create(:project, :repository, :public) }
let(:pipeline) { create(:ci_pipeline, :success, project: project) }
let(:finding) { create(:vulnerabilities_finding, pipelines: [pipeline], project: project, severity: :high) }
let_it_be(:project) { create(:project, :repository, :public) }
let_it_be(:pipeline) { create(:ci_pipeline, :success, project: project) }
let_it_be(:finding) { create(:vulnerabilities_finding, pipelines: [pipeline], project: project, severity: :high) }
let(:vulnerability) { create(:vulnerability, title: "My vulnerability", project: project, findings: [finding]) }
before do
......@@ -43,7 +43,7 @@ RSpec.describe VulnerabilitiesHelper do
:details)
end
let(:desired_serializer_fields) { %i[metadata identifiers name issue_feedback merge_request_feedback project project_fingerprint scanner uuid details] }
let(:desired_serializer_fields) { %i[metadata identifiers name issue_feedback merge_request_feedback project project_fingerprint scanner uuid details dismissal_feedback] }
before do
vulnerability_serializer_stub = instance_double("VulnerabilitySerializer")
......@@ -270,7 +270,8 @@ RSpec.describe VulnerabilitiesHelper do
assets: kind_of(Array),
supporting_messages: kind_of(Array),
uuid: kind_of(String),
details: kind_of(Hash)
details: kind_of(Hash),
dismissal_feedback: anything
)
expect(subject[:location]['blob_path']).to match(kind_of(String))
......@@ -286,6 +287,17 @@ RSpec.describe VulnerabilitiesHelper do
expect(subject[:location]).not_to have_key('blob_path')
end
end
context 'with existing dismissal feedback' do
let_it_be(:feedback) { create(:vulnerability_feedback, :comment, :dismissal, project: project, pipeline: pipeline, project_fingerprint: finding.project_fingerprint) }
it 'returns dismissal feedback information', :aggregate_failures do
dismissal_feedback = subject[:dismissal_feedback]
expect(dismissal_feedback[:dismissal_reason]).to eq(feedback.dismissal_reason)
expect(dismissal_feedback[:dismissal_descriptions]).to eq(Vulnerabilities::DismissalReasonEnum.definition.transform_values { |v| v[:description] })
expect(dismissal_feedback[:comment_details][:comment]).to eq(feedback.comment)
end
end
end
describe '#vulnerability_scan_data?' do
......
......@@ -178,4 +178,28 @@ RSpec.describe Vulnerabilities::FeedbackEntity do
expect(subject[:finding_uuid]).to eq(finding.uuid)
end
end
context 'when dismissal_reason is not present' do
let(:feedback) { build_stubbed(:vulnerability_feedback, :issue, project: project) }
it "returns nil" do
expect(subject[:dismissal_reason]).to be_nil
end
end
context 'when dismissal_reason is present' do
let(:feedback) { build_stubbed(:vulnerability_feedback, :dismissal, project: project) }
it 'exposes dismissal_reason' do
expect(subject[:dismissal_reason]).to eq(feedback.dismissal_reason)
end
end
context 'when dismissal descriptions are available' do
let(:feedback) { build_stubbed(:vulnerability_feedback, :dismissal, project: project) }
it 'exposes dismissal_descriptions' do
expect(subject[:dismissal_descriptions]).to eq(Vulnerabilities::DismissalReasonEnum.definition.transform_values { |v| v[:description] })
end
end
end
......@@ -1368,6 +1368,9 @@ msgstr ""
msgid "A limit of %{ci_project_subscriptions_limit} subscriptions to or from a project applies."
msgstr ""
msgid "A management, operational, or technical control (that is, safeguard or countermeasure) employed by an organization that provides equivalent or comparable protection for an information system."
msgstr ""
msgid "A member of the abuse team will review your report as soon as possible."
msgstr ""
......@@ -3262,6 +3265,9 @@ msgstr ""
msgid "An error has occurred"
msgstr ""
msgid "An error in reporting in which a test result incorrectly indicates the presence of a vulnerability in a system when the vulnerability is not present."
msgstr ""
msgid "An error occurred adding a draft to the thread."
msgstr ""
......@@ -29968,6 +29974,9 @@ msgstr ""
msgid "The file name should have a .yml extension"
msgstr ""
msgid "The finding is not a vulnerability because it is part of a test or is test data."
msgstr ""
msgid "The following %{user} can also merge into this branch: %{branch}"
msgstr ""
......@@ -30270,6 +30279,12 @@ msgstr ""
msgid "The visualization will appear in this tab when the CI/CD configuration file is populated with valid syntax."
msgstr ""
msgid "The vulnerability is known, and has not been remediated or mitigated, but is considered to be an acceptable business risk."
msgstr ""
msgid "The vulnerability is known, and has not been remediated or mitigated, but is considered to be in a part of the application that will not be updated."
msgstr ""
msgid "The vulnerability is no longer detected. Verify the vulnerability has been fixed or removed before changing its status."
msgstr ""
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment