Add issue build from vulnerability service

adaa4351 · Jonathan Schafer · 3f739faf · adaa4351 · adaa4351 · adaa4351
Commit adaa4351 authored Nov 12, 2020 by Jonathan Schafer
3 changed files
--- a/ee/app/services/issues/build_from_vulnerability_service.rb
+++ b/ee/app/services/issues/build_from_vulnerability_service.rb
+# frozen_string_literal: true
+
+module Issues
+  class BuildFromVulnerabilityService < Issues::BuildService
+    def execute
+      vulnerability = params[:vulnerability]
+
+      params.merge!({
+        title: "Investigate vulnerability: #{vulnerability.title}",
+        description: render_description(vulnerability),
+        confidential: true
+      })
+
+      super
+    end
+
+    private
+
+    def render_description(vulnerability)
+      ApplicationController.render(
+        template: 'vulnerabilities/issue_description.md.erb',
+        locals: { vulnerability: vulnerability.present }
+      )
+    end
+  end
+end
+
+Issues::BuildService.prepend_if_ee('EE::Issues::BuildService')
--- a/ee/changelogs/unreleased/250353-convert-issues-createfromvulnerabilityservice-to-work-similar-t.yml
+++ b/ee/changelogs/unreleased/250353-convert-issues-createfromvulnerabilityservice-to-work-similar-t.yml
+---
+title: Create a new service to build an issue from a vulnerability
+merge_request: 47510
+author:
+type: added
--- a/ee/spec/services/ee/issues/build_from_vulnerability_service_spec.rb
+++ b/ee/spec/services/ee/issues/build_from_vulnerability_service_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Issues::BuildFromVulnerabilityService, '#execute' do
+  let_it_be(:group)   { create(:group) }
+  let_it_be(:project) { create(:project, :public, :repository, namespace: group) }
+  let_it_be(:user)    { create(:user) }
+  let(:vulnerability) { create(:vulnerability, :with_finding, project: project) }
+  let(:params) { { vulnerability: vulnerability } }
+  let(:result) { described_class.new(project, user, params).execute }
+
+  before do
+    stub_licensed_features(security_dashboard: true)
+    group.add_developer(user)
+  end
+
+  context 'is a vulnerability with remediations' do
+    let(:vulnerability) { create(:vulnerability, :with_remediation, project: project) }
+
+    context 'when raw_metadata has no remediations' do
+      let(:vulnerability) { create(:vulnerability, :with_finding, project: project) }
+
+      it 'does not display Remediations section' do
+        expect(vulnerability.remediations).to eq(nil)
+        expect(result.description).not_to match(/Remediations/)
+      end
+    end
+
+    context 'when raw_metadata has empty remediations key' do
+      before do
+        finding = vulnerability.finding
+        metadata = Gitlab::Json.parse(finding.raw_metadata)
+        metadata["remediations"] = [nil]
+        finding.raw_metadata = metadata.to_json
+        finding.save!
+      end
+
+      it 'does not display Remediations section' do
+        expect(vulnerability.remediations).to eq([nil])
+        expect(result.description).not_to match(/Remediations/)
+      end
+    end
+
+    context 'when raw_metadata has a remediation' do
+      it 'displays Remediations section' do
+        expect(vulnerability.remediations.length).to eq(1)
+        expect(result.description).to match(/Remediations/)
+      end
+
+      it 'attaches the diff' do
+        expect(result.description).to match(/This is a diff/)
+      end
+    end
+  end
+
+  context 'when an issue is built' do
+    let(:expected_title) { "Investigate vulnerability: #{vulnerability.title}" }
+    let(:expected_description) do
+      <<~DESC.chomp
+        Issue created from vulnerability <a href="http://localhost/#{group.name}/#{project.name}/-/security/vulnerabilities/#{vulnerability.id}">#{vulnerability.id}</a>
+
+        ### Description:
+
+        Description of #{vulnerability.title}
+
+        * Severity: #{vulnerability.severity}
+        * Confidence: #{vulnerability.confidence}
+        * Location: [maven/src/main/java/com/gitlab/security_products/tests/App.java:29](http://localhost/#{project.full_path}/-/blob/master/maven/src/main/java/com/gitlab/security_products/tests/App.java#L29)
+
+        ### Solution:
+
+        #{vulnerability.solution}
+
+        ### Identifiers:
+
+        * [CVE-2018-1234](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1234)
+
+        ### Links:
+
+        * [Cipher does not check for integrity first?](https://crypto.stackexchange.com/questions/31428/pbewithmd5anddes-cipher-does-not-check-for-integrity-first)
+      DESC
+    end
+
+    it 'builds the issue with the given params' do
+      issue = result
+      expect(issue).not_to be_persisted
+      expect(issue.project).to eq(project)
+      expect(issue.author).to eq(user)
+      expect(issue.title).to eq(expected_title)
+      expect(issue.description.strip).to eq(expected_description)
+      expect(issue).to be_confidential
+    end
+  end
+end