Merge branch 'dast-in-group-dashboard-be' into 'master'

Show DAST in Group Security Dashboard Back-End See merge request gitlab-org/gitlab-ee!10277

Merge branch 'dast-in-group-dashboard-be' into 'master'
Show DAST in Group Security Dashboard Back-End See merge request gitlab-org/gitlab-ee!10277
a8a42ab0 · Kamil Trzciński · edaa8a5f · da111e74 · a8a42ab0 · a8a42ab0
Commit a8a42ab0 authored Mar 27, 2019 by Kamil Trzciński
5 changed files
--- a/doc/user/group/security_dashboard/index.md
+++ b/doc/user/group/security_dashboard/index.md
@@ -34,14 +34,16 @@ each one separately.

 The group security dashboard supports [SAST](../../project/merge_requests/sast.md),
 [Dependency Scanning](../../project/merge_requests/dependency_scanning.md),
-and [Container Scanning](../../project/merge_requests/container_scanning.md).
+[Container Scanning](../../project/merge_requests/container_scanning.md), 
+and [DAST](../../project/merge_requests/dast.md).

 ## Requirements

 To use the group security dashboard:

 1. At least one project inside a group must be configured with
-   [Static Application Security Testing](../../project/merge_requests/sast.md), or [Dependency Scanning](../../project/merge_requests/dependency_scanning.md).
+   [Static Application Security Testing](../../project/merge_requests/sast.md), or [Dependency Scanning](../../project/merge_requests/dependency_scanning.md), 
+   or [Container Scanning](../../project/merge_requests/container_scanning.md), or [Dynamic Application Security Testing](../../project/merge_requests/dast.md).
 2. The configured jobs must use the [new `reports` syntax](../../../ci/yaml/README.md#artifactsreports) (see an [example job](../../../ci/examples/sast.md)).
 3. [GitLab Runner](https://docs.gitlab.com/runner/) 11.5 or above must be used to execute the jobs.


--- a/ee/app/controllers/groups/security/vulnerabilities_controller.rb
+++ b/ee/app/controllers/groups/security/vulnerabilities_controller.rb
@@ -3,11 +3,6 @@
 class Groups::Security::VulnerabilitiesController < Groups::Security::ApplicationController
  HISTORY_RANGE = 3.months

-  # NOTE: we need this scope because DAST vulnerabilities
-  # shouldn't appear in the Group Dashboard in the same as we're starting
-  # to save them in the database
-  DEFAULT_REPORT_SCOPE = [:sast, :dependency_scanning, :container_scanning].freeze
-
  def index
    vulnerabilities = found_vulnerabilities.ordered.page(params[:page])

@@ -44,10 +39,8 @@ class Groups::Security::VulnerabilitiesController < Groups::Security::Applicatio
  private

  def filter_params
-    filter_params = params.permit(report_type: [], project_id: [], severity: [])
-                          .merge(hide_dismissed: Gitlab::Utils.to_boolean(params[:hide_dismissed]))
-    filter_params[:report_type] ||= DEFAULT_REPORT_SCOPE
-    filter_params
+    params.permit(report_type: [], project_id: [], severity: [])
+      .merge(hide_dismissed: Gitlab::Utils.to_boolean(params[:hide_dismissed]))
  end

  def found_vulnerabilities(collection = :latest)

--- a/ee/app/models/ee/ci/build.rb
+++ b/ee/app/models/ee/ci/build.rb
@@ -65,7 +65,7 @@ module EE
              ::Feature.disabled?(:parse_container_scanning_reports, default_enabled: true)

          next if file_type == "dast" &&
-              ::Feature.disabled?(:parse_dast_reports, default_enabled: false)
+              ::Feature.disabled?(:parse_dast_reports, default_enabled: true)

          security_reports.get_report(file_type).tap do |security_report|
            next unless project.feature_available?(LICENSED_PARSER_FEATURES.fetch(file_type))

--- a/ee/changelogs/unreleased/dast-in-group-dashboard-be.yml
+++ b/ee/changelogs/unreleased/dast-in-group-dashboard-be.yml
+---
+title: Show DAST in Group Security Dashboard Back-End
+merge_request: 10277
+author:
+type: added
--- a/ee/spec/controllers/groups/security/vulnerabilities_controller_spec.rb
+++ b/ee/spec/controllers/groups/security/vulnerabilities_controller_spec.rb
@@ -108,7 +108,6 @@ describe Groups::Security::VulnerabilitiesController do
        context 'with multiple report types' do
          before do
            projects.each do |project|
-              create_vulnerabilities(1, project_guest, { report_type: :dast })
              create_vulnerabilities(2, project_guest, { report_type: :sast })
              create_vulnerabilities(1, project_dev, { report_type: :dependency_scanning })
            end
@@ -219,14 +218,14 @@ describe Groups::Security::VulnerabilitiesController do
          group.add_developer(user)
        end

-        it 'returns vulnerabilities counts for :sast and :dependency_scanning' do
+        it 'returns vulnerabilities counts for all report types' do
          subject

          expect(response).to have_gitlab_http_status(200)
          expect(json_response).to be_an(Hash)
          expect(json_response['high']).to eq(3)
-          expect(json_response['low']).to eq(3)
-          expect(json_response['medium']).to eq(0)
+          expect(json_response['low']).to eq(4)
+          expect(json_response['medium']).to eq(1)
          expect(response).to match_response_schema('vulnerabilities/summary', dir: 'ee')
        end

@@ -323,11 +322,11 @@ describe Groups::Security::VulnerabilitiesController do

          expect(response).to have_gitlab_http_status(200)
          expect(json_response).to be_an(Hash)
-          expect(json_response['total']).to eq({ '2018-11-10' => 5, '2018-11-12' => 3 })
+          expect(json_response['total']).to eq({ '2018-11-10' => 5, '2018-11-12' => 5 })
          expect(json_response['critical']).to eq({ '2018-11-10' => 1 })
          expect(json_response['high']).to eq({ '2018-11-10' => 2, '2018-11-12' => 1 })
-          expect(json_response['medium']).to eq({})
-          expect(json_response['low']).to eq({ '2018-11-10' => 2, '2018-11-12' => 2 })
+          expect(json_response['medium']).to eq({ '2018-11-12' => 1 })
+          expect(json_response['low']).to eq({ '2018-11-10' => 2, '2018-11-12' => 3 })
          expect(response).to match_response_schema('vulnerabilities/history', dir: 'ee')
        end