Added a Secure E2E test for auto-remediation

Updated selectors where necessary. Updated fixture and tests that have changed results.

Added a Secure E2E test for auto-remediation
Updated selectors where necessary. Updated fixture and tests that have changed results.
bbef7363 · Aleksandr Soborov · Sanad Liaquat · 673ab5b2 · bbef7363 · bbef7363
Commit bbef7363 authored Aug 07, 2019 by Aleksandr Soborov Committed by Sanad Liaquat Aug 07, 2019
6 changed files
--- a/ee/app/assets/javascripts/vue_shared/security_reports/components/modal_footer.vue
+++ b/ee/app/assets/javascripts/vue_shared/security_reports/components/modal_footer.vue
@@ -102,6 +102,7 @@ export default {
      v-if="actionButtons.length > 1"
      :buttons="actionButtons"
      class="js-split-button"
+      data-qa-selector="resolve_split_button"
      @createMergeRequest="$emit('createMergeRequest')"
      @createNewIssue="$emit('createNewIssue')"
      @downloadPatch="$emit('downloadPatch')"

--- a/qa/qa/ee/fixtures/secure_premade_reports/gl-dependency-scanning-report.json
+++ b/qa/qa/ee/fixtures/secure_premade_reports/gl-dependency-scanning-report.json
@@ -72,9 +72,107 @@
          "url": "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b"
        }
      ]
+    },
+    {
+      "category": "dependency_scanning",
+      "name": "Regular Expression Denial of Service",
+      "message": "Regular Expression Denial of Service in debug",
+      "description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.",
+      "cve": "yarn.lock:debug:gemnasium:37283ed4-0380-40d7-ada7-2d994afcc62a",
+      "severity": "Unknown",
+      "solution": "Upgrade to latest versions.",
+      "scanner": {
+        "id": "gemnasium",
+        "name": "Gemnasium"
+      },
+      "location": {
+        "file": "yarn.lock",
+        "dependency": {
+          "package": {
+            "name": "debug"
+          },
+          "version": "1.0.5"
+        }
+      },
+      "identifiers": [
+        {
+          "type": "gemnasium",
+          "name": "Gemnasium-37283ed4-0380-40d7-ada7-2d994afcc62a",
+          "value": "37283ed4-0380-40d7-ada7-2d994afcc62a",
+          "url": "https://deps.sec.gitlab.com/packages/npm/debug/versions/1.0.5/advisories"
+        }
+      ],
+      "links": [
+        {
+          "url": "https://github.com/visionmedia/debug/issues/501"
+        },
+        {
+          "url": "https://github.com/visionmedia/debug/pull/504"
+        },
+        {
+          "url": "https://nodesecurity.io/advisories/534"
+        }
+      ]
+    },
+    {
+      "category": "dependency_scanning",
+      "name": "Authentication bypass via incorrect DOM traversal and canonicalization",
+      "message": "Authentication bypass via incorrect DOM traversal and canonicalization in saml2-js",
+      "description": "Some XML DOM traversal and canonicalization APIs may be inconsistent in handling of comments within XML nodes. Incorrect use of these APIs by some SAML libraries results in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment therefore has no impact on the signature on the SAML message.\r\n\r\nA remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider.",
+      "cve": "yarn.lock:saml2-js:gemnasium:9952e574-7b5b-46fa-a270-aeb694198a98",
+      "severity": "Unknown",
+      "solution": "Upgrade to fixed version.\r\n",
+      "scanner": {
+        "id": "gemnasium",
+        "name": "Gemnasium"
+      },
+      "location": {
+        "file": "yarn.lock",
+        "dependency": {
+          "package": {
+            "name": "saml2-js"
+          },
+          "version": "1.8.1"
+        }
+      },
+      "identifiers": [
+        {
+          "type": "gemnasium",
+          "name": "Gemnasium-9952e574-7b5b-46fa-a270-aeb694198a98",
+          "value": "9952e574-7b5b-46fa-a270-aeb694198a98",
+          "url": "https://deps.sec.gitlab.com/packages/npm/saml2-js/versions/1.8.1/advisories"
+        },
+        {
+          "type": "cve",
+          "name": "CVE-2017-11429",
+          "value": "CVE-2017-11429",
+          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11429"
+        }
+      ],
+      "links": [
+        {
+          "url": "https://github.com/Clever/saml2/commit/3546cb61fd541f219abda364c5b919633609ef3d#diff-af730f9f738de1c9ad87596df3f6de84R279"
+        },
+        {
+          "url": "https://github.com/Clever/saml2/issues/127"
+        },
+        {
+          "url": "https://www.kb.cert.org/vuls/id/475445"
+        }
+      ]
+    }
+  ],
+  "remediations": [
+    {
+      "fixes": [
+        {
+          "cve": "yarn.lock:saml2-js:gemnasium:9952e574-7b5b-46fa-a270-aeb694198a98"
+        }
+      ],
+      "summary": "Upgrade saml2-js",
+      "diff": "ZGlmZiAtLWdpdCBhL3lhcm4ubG9jayBiL3lhcm4ubG9jawppbmRleCA2MDYwYzJmLi4yZWI1MzhlIDEwMDY0NAotLS0gYS95YXJuLmxvY2sKKysrIGIveWFybi5sb2NrCkBAIC0xNjI0LDExICsxNjI0LDE4IEBAIGFzeW5jLWxpbWl0ZXJAfjEuMC4wOgogICByZXNvbHZlZCAiaHR0cHM6Ly9yZWdpc3RyeS55YXJucGtnLmNvbS9hc3luYy1saW1pdGVyLy0vYXN5bmMtbGltaXRlci0xLjAuMC50Z3ojNzhmYWVkOGMzZDA3NGFiODFmMjJiNGU5ODVkNzllODczOGY3MjBmOCIKICAgaW50ZWdyaXR5IHNoYTUxMi1qcC91Rm5vb09pTytMMjExZVpPb1N5enBPSVRNWHgxckJJVGF1WXlrRzNCUllQdThoMFVjeHNQTkIwNFJSNXZvNFR5ejMrYXkxN3RSNkpWZjlxellXZz09CiAKLWFzeW5jQF4xLjUuMiwgYXN5bmNAfjEuNS4yOgorYXN5bmNAXjEuNS4yOgogICB2ZXJzaW9uICIxLjUuMiIKICAgcmVzb2x2ZWQgImh0dHBzOi8vcmVnaXN0cnkueWFybnBrZy5jb20vYXN5bmMvLS9hc3luYy0xLjUuMi50Z3ojZWM2YTYxYWU1NjQ4MGMwYzNjYjI0MWM5NTYxOGUyMDg5MmY5NjcyYSIKICAgaW50ZWdyaXR5IHNoYTEtN0dwaHJsWklEQXc4c2tISlZoamlDSkw1WnlvPQogCithc3luY0BeMi4xLjUsIGFzeW5jQF4yLjUuMDoKKyAgdmVyc2lvbiAiMi42LjMiCisgIHJlc29sdmVkICJodHRwczovL3JlZ2lzdHJ5Lnlhcm5wa2cuY29tL2FzeW5jLy0vYXN5bmMtMi42LjMudGd6I2Q3MjYyNWUyMzQ0YTM2NTZlM2EzYWQ0ZmE3NDlmYTgzMjk5ZDgyZmYiCisgIGludGVncml0eSBzaGE1MTItemZsdmxzMTFEQ3krZFFXelRXMmR6dWlsdjhaNVgvcGpmbVpPV2JhNlROSVZEbSsyVURhSm1YU09YbGFzSEtmTkJzOG9vM00wYVQ1MGZERVdmS1pqWGc9PQorICBkZXBlbmRlbmNpZXM6CisgICAgbG9kYXNoICJeNC4xNy4xNCIKKwogYXN5bmNAXjIuNi4xOgogICB2ZXJzaW9uICIyLjYuMiIKICAgcmVzb2x2ZWQgImh0dHBzOi8vcmVnaXN0cnkueWFybnBrZy5jb20vYXN5bmMvLS9hc3luYy0yLjYuMi50Z3ojMTgzMzBlYTdlNmUzMTM4ODdmNWQyZjJhOTA0YmFjNmZlNGRkNTM4MSIKQEAgLTE2MzYsMTEgKzE2NDMsNiBAQCBhc3luY0BeMi42LjE6CiAgIGRlcGVuZGVuY2llczoKICAgICBsb2Rhc2ggIl40LjE3LjExIgogCi1hc3luY0B+MC4yLjc6Ci0gIHZlcnNpb24gIjAuMi4xMCIKLSAgcmVzb2x2ZWQgImh0dHBzOi8vcmVnaXN0cnkueWFybnBrZy5jb20vYXN5bmMvLS9hc3luYy0wLjIuMTAudGd6I2I2YmJlMGIwNjc0YjlkNzE5NzA4Y2EzOGRlOGMyMzdjYjUyNmMzZDEiCi0gIGludGVncml0eSBzaGExLXRydmdzR2RMblhHWENNbzQzb3dqZkxVbXc5RT0KLQogYXN5bmNraXRAXjAuNC4wOgogICB2ZXJzaW9uICIwLjQuMCIKICAgcmVzb2x2ZWQgImh0dHBzOi8vcmVnaXN0cnkueWFybnBrZy5jb20vYXN5bmNraXQvLS9hc3luY2tpdC0wLjQuMC50Z3ojYzc5ZWQ5N2Y3ZjM0Y2I4ZjJiYTFiYzk3OTBiY2MzNjY0NzRiNGI3OSIKQEAgLTI5MTAsMTMgKzI5MTIsNiBAQCBkZWJ1Z0AyLjYuOSwgZGVidWdAXjIuMi4wLCBkZWJ1Z0BeMi4zLjMsIGRlYnVnQF4yLjYuMCwgZGVidWdAXjIuNi44LCBkZWJ1Z0BeMi42LgogICBkZXBlbmRlbmNpZXM6CiAgICAgbXMgIjIuMC4wIgogCi1kZWJ1Z0BeMS4wLjQ6Ci0gIHZlcnNpb24gIjEuMC41IgotICByZXNvbHZlZCAiaHR0cHM6Ly9yZWdpc3RyeS55YXJucGtnLmNvbS9kZWJ1Zy8tL2RlYnVnLTEuMC41LnRneiNmNzI0MTIxNzQzMGY5OWRlYzRjMmI0NzNlYWI5MjIyOGU4NzRjMmFjIgotICBpbnRlZ3JpdHkgc2hhMS05eVFTRjBNUG1kN0V3clJ6NnJraUtPaDB3cXc9Ci0gIGRlcGVuZGVuY2llczoKLSAgICBtcyAiMi4wLjAiCi0KIGRlYnVnQF4zLjIuNSwgZGVidWdAXjMuMi42OgogICB2ZXJzaW9uICIzLjIuNiIKICAgcmVzb2x2ZWQgImh0dHBzOi8vcmVnaXN0cnkueWFybnBrZy5jb20vZGVidWcvLS9kZWJ1Zy0zLjIuNi50Z3ojZTgzZDE3ZGUxNmQ4YTdlZmI3NzE3ZWRiZTVmYjEwMTM1ZWVlNjI5YiIKQEAgLTMyMzQsMTAgKzMyMjksMTAgQEAgZWUtZmlyc3RAMS4xLjE6CiAgIHJlc29sdmVkICJodHRwczovL3JlZ2lzdHJ5Lnlhcm5wa2cuY29tL2VlLWZpcnN0Ly0vZWUtZmlyc3QtMS4xLjEudGd6IzU5MGM2MTE1NmIwYWUyZjRmMDI1NTczMmExNThiMjY2YmM1NmIyMWQiCiAgIGludGVncml0eSBzaGExLVdReGhGV3NLNHZUd0pWY3lvVml5WnJ4V3NoMD0KIAotZWpzQH4wLjguMzoKLSAgdmVyc2lvbiAiMC44LjgiCi0gIHJlc29sdmVkICJodHRwczovL3JlZ2lzdHJ5Lnlhcm5wa2cuY29tL2Vqcy8tL2Vqcy0wLjguOC50Z3ojZmZkYzU2ZGNjMzVkMDI5MjZkZDUwYWQxMzQzOWJiYzU0MDYxZDU5OCIKLSAgaW50ZWdyaXR5IHNoYTEtLzl4VzNNTmRBcEp0MVFyUk5EbTd4VUJoMVpnPQorZWpzQF4yLjUuNjoKKyAgdmVyc2lvbiAiMi42LjIiCisgIHJlc29sdmVkICJodHRwczovL3JlZ2lzdHJ5Lnlhcm5wa2cuY29tL2Vqcy8tL2Vqcy0yLjYuMi50Z3ojM2EzMmM2M2QxY2QxNmQxMTI2NmNkNDcwM2IxNGZlYzRlNzRhYjRmNiIKKyAgaW50ZWdyaXR5IHNoYTUxMi1QY1cyYTB0eVR1UEh6M3RXeVlxdEs2cjFmWjNncCszU29wOFBoK1pZTjgxT2I1cndtYkhFemFxczEwTjNCRXNhR1RraC9vb25pWEsrV3dzekdsYzIrUT09CiAKIGVsZWN0cm9uLXRvLWNocm9taXVtQF4xLjMuMTIyLCBlbGVjdHJvbi10by1jaHJvbWl1bUBeMS4zLjEyNDoKICAgdmVyc2lvbiAiMS4zLjEyNSIKQEAgLTU3NTMsNiArNTc0OCwxMSBAQCBsb2NhdGUtcGF0aEBeMy4wLjA6CiAgICAgcC1sb2NhdGUgIl4zLjAuMCIKICAgICBwYXRoLWV4aXN0cyAiXjMuMC4wIgogCitsb2Rhc2gtbm9kZUB+Mi40LjE6CisgIHZlcnNpb24gIjIuNC4xIgorICByZXNvbHZlZCAiaHR0cHM6Ly9yZWdpc3RyeS55YXJucGtnLmNvbS9sb2Rhc2gtbm9kZS8tL2xvZGFzaC1ub2RlLTIuNC4xLnRneiNlYTgyZjdiMTAwYzczM2QxYTQyYWY3NjgwMWU1MDYxMDVlMmE4MGVjIgorICBpbnRlZ3JpdHkgc2hhMS02b0wzc1FESE05R2tLdmRvQWVVR0VGNHFnT3c9CisKIGxvZGFzaC5fcmVpbnRlcnBvbGF0ZUB+My4wLjA6CiAgIHZlcnNpb24gIjMuMC4wIgogICByZXNvbHZlZCAiaHR0cHM6Ly9yZWdpc3RyeS55YXJucGtnLmNvbS9sb2Rhc2guX3JlaW50ZXJwb2xhdGUvLS9sb2Rhc2guX3JlaW50ZXJwb2xhdGUtMy4wLjAudGd6IzBjY2YyZDg5MTY2YWYwM2IzNjYzYzc5NjUzOGI3NWFjNmUxMTRkOWQiCkBAIC01ODAzLDYgKzU4MDMsMTEgQEAgbG9kYXNoLnVuaXFAXjQuNS4wOgogICByZXNvbHZlZCAiaHR0cHM6Ly9yZWdpc3RyeS55YXJucGtnLmNvbS9sb2Rhc2gvLS9sb2Rhc2gtNC4xNy4xMS50Z3ojYjM5ZWE2MjI5ZWY2MDdlY2Q4OWUyYzhkZjEyNTM2ODkxY2FjOWI4ZCIKICAgaW50ZWdyaXR5IHNoYTUxMi1jUUtoOGlnbzVRVWhaN2xnMzhEWVdBeE12alNBS0cwQTh3R1NWaW1QMDdTSVVFSzJVTythclNSS2JSWld0ZWxNdE41VjBIa3doNXJ5T3RvL1NzaFlJZz09CiAKK2xvZGFzaEBeNC4xNy4xNDoKKyAgdmVyc2lvbiAiNC4xNy4xNSIKKyAgcmVzb2x2ZWQgImh0dHBzOi8vcmVnaXN0cnkueWFybnBrZy5jb20vbG9kYXNoLy0vbG9kYXNoLTQuMTcuMTUudGd6I2I0NDdmNjY3MGEwNDU1YmJmZWVkZDExMzkyZWZmMzMwZWEwOTc1NDgiCisgIGludGVncml0eSBzaGE1MTItOHhPY1JIdkNqbm9jZFM1Y3B3WFFYVnptbWg1ZTUrc2FFMlFHb2VRbWJLbVJTNkozVlFwcFBPSXQwTW5tRSs0eGxab3VteTBHUEcwRDBNVklRYk5BMUE9PQorCiBsb2dsZXZlbEBeMS40LjE6CiAgIHZlcnNpb24gIjEuNi4xIgogICByZXNvbHZlZCAiaHR0cHM6Ly9yZWdpc3RyeS55YXJucGtnLmNvbS9sb2dsZXZlbC8tL2xvZ2xldmVsLTEuNi4xLnRneiNlMGZjOTUxMzNiNmVmMjc2Y2RjODg4N2NkYWYyNGFhNmYxNTZmOGZhIgpAQCAtNjE4NSwxNiArNjE5MCwxNiBAQCBuby1jYXNlQF4yLjIuMDoKICAgZGVwZW5kZW5jaWVzOgogICAgIGxvd2VyLWNhc2UgIl4xLjEuMSIKIAotbm9kZS1mb3JnZUAwLjIuMjQ6Ci0gIHZlcnNpb24gIjAuMi4yNCIKLSAgcmVzb2x2ZWQgImh0dHBzOi8vcmVnaXN0cnkueWFybnBrZy5jb20vbm9kZS1mb3JnZS8tL25vZGUtZm9yZ2UtMC4yLjI0LnRneiNmYTZmODQ2ZjQyZmE5M2Y2M2EwYTMwYzlmYmZmN2I0ZTEzMGUwODU4IgotICBpbnRlZ3JpdHkgc2hhMS0rbStFYjBMNmsvWTZDakRKKy85N1RoTU9DRmc9Ci0KIG5vZGUtZm9yZ2VAMC43LjU6CiAgIHZlcnNpb24gIjAuNy41IgogICByZXNvbHZlZCAiaHR0cHM6Ly9yZWdpc3RyeS55YXJucGtnLmNvbS9ub2RlLWZvcmdlLy0vbm9kZS1mb3JnZS0wLjcuNS50Z3ojNmMxNTJjMzQ1Y2UxMWM1MmY0NjVjMmFiZDk1N2U4NjM5Y2Q2NzRkZiIKICAgaW50ZWdyaXR5IHNoYTUxMi1NbWJRSjJNVEVTVGp0M0dpLzN5RzF3R3BJTWhVZmNJeXBVQ0d0VGl6RlI5SWljY0Z3eFNwZnAwdnRJWmxrRmNsRXFFUmVteGZuU2RaRU1SOVZxcUVGUT09CiAKK25vZGUtZm9yZ2VAXjAuNy4wOgorICB2ZXJzaW9uICIwLjcuNiIKKyAgcmVzb2x2ZWQgImh0dHBzOi8vcmVnaXN0cnkueWFybnBrZy5jb20vbm9kZS1mb3JnZS8tL25vZGUtZm9yZ2UtMC43LjYudGd6I2ZkZjNiNDE4YWVlMWY5NGYwZWY2NDJjZDYzNDg2Yzc3Y2E5NzI0YWMiCisgIGludGVncml0eSBzaGE1MTItc29sMzBMVXB6MWpRRkJqT0t3Ymp4aWppRTNiNnBqZDc0WXdmRDBmSk9LUGpGK2ZPTktiMllnOHJZZ1M2K2JLNlZEbCsvd2ZyNElZcEM3akR6TFVJZnc9PQorCiBub2RlLWludDY0QF4wLjQuMDoKICAgdmVyc2lvbiAiMC40LjAiCiAgIHJlc29sdmVkICJodHRwczovL3JlZ2lzdHJ5Lnlhcm5wa2cuY29tL25vZGUtaW50NjQvLS9ub2RlLWludDY0LTAuNC4wLnRneiM4N2E5MDY1Y2RiMzU1ZDMxODJkOGY5NGNlMTExODhiODI1YzY4YTNiIgpAQCAtODI1NiwxOCArODI2MSwxOCBAQCBzYWZlLXJlZ2V4QF4xLjEuMDoKICAgaW50ZWdyaXR5IHNoYTUxMi1ZWm8zSzgyU0Q3Uml5aTBFMUVRUG9qTHo3a3BlcG5TUUk5SXlQYkhIZzFYWFhldmI1ZEpJN3RweU4yQUR4R2NRYkhHN3ZjeVJIazBjYndxY1FyaVV0Zz09CiAKIHNhbWwyLWpzQF4xLjguMToKLSAgdmVyc2lvbiAiMS44LjEiCi0gIHJlc29sdmVkICJodHRwczovL3JlZ2lzdHJ5Lnlhcm5wa2cuY29tL3NhbWwyLWpzLy0vc2FtbDItanMtMS44LjEudGd6IzIwNGM4NjA2ZDAyZmUwMDcwNmM5NjhhNzAxNTk5ZGM4MWFiNTY4NDMiCi0gIGludGVncml0eSBzaGExLUlFeUdCdEF2NEFjR3lXaW5BVm1keUJxMWFFTT0KLSAgZGVwZW5kZW5jaWVzOgotICAgIGFzeW5jICJ+MS41LjIiCi0gICAgZGVidWcgIl4xLjAuNCIKLSAgICB1bmRlcnNjb3JlICJ+MS42LjAiCi0gICAgeG1sLWNyeXB0byAiXjAuOC4xIgotICAgIHhtbC1lbmNyeXB0aW9uICJ+MC43LjQiCi0gICAgeG1sMmpzICJ+MC40LjEiCi0gICAgeG1sYnVpbGRlciAifjIuMS4wIgotICAgIHhtbGRvbSAifjAuMS4xOSIKKyAgdmVyc2lvbiAiMS4xMi40IgorICByZXNvbHZlZCAiaHR0cHM6Ly9yZWdpc3RyeS55YXJucGtnLmNvbS9zYW1sMi1qcy8tL3NhbWwyLWpzLTEuMTIuNC50Z3ojYzI4OGYyMGJkYTZkMmI5MTA3M2IxNmM5NGVhNzJmMjIzNDlhYzNiMyIKKyAgaW50ZWdyaXR5IHNoYTEtd29qeUM5cHRLNUVIT3hiSlRxY3ZJalNhdzdNPQorICBkZXBlbmRlbmNpZXM6CisgICAgYXN5bmMgIl4yLjUuMCIKKyAgICBkZWJ1ZyAiXjIuNi4wIgorICAgIHVuZGVyc2NvcmUgIl4xLjguMCIKKyAgICB4bWwtY3J5cHRvICJeMC4xMC4wIgorICAgIHhtbC1lbmNyeXB0aW9uICJeMC4xMS4wIgorICAgIHhtbDJqcyAiXjAuNC4wIgorICAgIHhtbGJ1aWxkZXIgIn4yLjIuMCIKKyAgICB4bWxkb20gIl4wLjEuMCIKIAogc2FuZUBeNC4wLjM6CiAgIHZlcnNpb24gIjQuMS4wIgpAQCAtOTE4NiwxNiArOTE5MSwxMSBAQCB1Z2xpZnktanNAXjMuMS40OgogICAgIGNvbW1hbmRlciAifjIuMjAuMCIKICAgICBzb3VyY2UtbWFwICJ+MC42LjEiCiAKLXVuZGVyc2NvcmVAPj0xLjUueDoKK3VuZGVyc2NvcmVAXjEuOC4wOgogICB2ZXJzaW9uICIxLjkuMSIKICAgcmVzb2x2ZWQgImh0dHBzOi8vcmVnaXN0cnkueWFybnBrZy5jb20vdW5kZXJzY29yZS8tL3VuZGVyc2NvcmUtMS45LjEudGd6IzA2ZGNlMzRhMGU2OGE3YmFiYzI5YjM2NWI4ZTc0Yjg5MjUyMDM5NjEiCiAgIGludGVncml0eSBzaGE1MTItNS80ZXRuQ2tkOWM4Z3dnb3dpNS9vbS9tWU81YWpDYU9nZHpqL29XKzBlUVY5V3hLQkRadzUreWNtS21lYVRYakluUy9XMEJ6cEdMbzJ4UjJhQndaZGc9PQogCi11bmRlcnNjb3JlQH4xLjYuMDoKLSAgdmVyc2lvbiAiMS42LjAiCi0gIHJlc29sdmVkICJodHRwczovL3JlZ2lzdHJ5Lnlhcm5wa2cuY29tL3VuZGVyc2NvcmUvLS91bmRlcnNjb3JlLTEuNi4wLnRneiM4YjM4YjEwY2FjZGVmNjMzMzdiOGIyNGU0ZmY4NmQ0NWFlYTUyOWE4IgotICBpbnRlZ3JpdHkgc2hhMS1peml4REt6ZTlqTTN1TEpPVC9odFJhNmxLYWc9Ci0KIHVuaWNvZGUtY2Fub25pY2FsLXByb3BlcnR5LW5hbWVzLWVjbWFzY3JpcHRAXjEuMC40OgogICB2ZXJzaW9uICIxLjAuNCIKICAgcmVzb2x2ZWQgImh0dHBzOi8vcmVnaXN0cnkueWFybnBrZy5jb20vdW5pY29kZS1jYW5vbmljYWwtcHJvcGVydHktbmFtZXMtZWNtYXNjcmlwdC8tL3VuaWNvZGUtY2Fub25pY2FsLXByb3BlcnR5LW5hbWVzLWVjbWFzY3JpcHQtMS4wLjQudGd6IzI2MTk4MDBjNGM4MjU4MDBlZmRkODM0M2FmN2RkOTkzM2NiZTI4MTgiCkBAIC05ODgzLDMxICs5ODgzLDMxIEBAIHgtaXMtc3RyaW5nQF4wLjEuMDoKICAgcmVzb2x2ZWQgImh0dHBzOi8vcmVnaXN0cnkueWFybnBrZy5jb20veC1pcy1zdHJpbmcvLS94LWlzLXN0cmluZy0wLjEuMC50Z3ojNDc0YjUwODY1YWYzYTQ5YTljNDY1N2YwNWFjZDE0NTQ1OGY3N2Q4MiIKICAgaW50ZWdyaXR5IHNoYTEtUjB0UWhscnpwSnFjUmxmd1dzMFVWRmozZllJPQogCi14bWwtY3J5cHRvQF4wLjguMToKLSAgdmVyc2lvbiAiMC44LjUiCi0gIHJlc29sdmVkICJodHRwczovL3JlZ2lzdHJ5Lnlhcm5wa2cuY29tL3htbC1jcnlwdG8vLS94bWwtY3J5cHRvLTAuOC41LnRneiMyYmJjZmIzZWIzM2YzYTgyYTIxOGI4MjJiZjY3MmI2YjFjMjBlNTM4IgotICBpbnRlZ3JpdHkgc2hhMS1LN3o3UHJNL09vS2lHTGdpdjJjcmF4d2c1VGc9Cit4bWwtY3J5cHRvQF4wLjEwLjA6CisgIHZlcnNpb24gIjAuMTAuMSIKKyAgcmVzb2x2ZWQgImh0dHBzOi8vcmVnaXN0cnkueWFybnBrZy5jb20veG1sLWNyeXB0by8tL3htbC1jcnlwdG8tMC4xMC4xLnRneiNmODMyZjc0Y2NmNTZmMjRhZmNhZTExNjNhMWZjYWI0NGQ5Njc3NGE4IgorICBpbnRlZ3JpdHkgc2hhMS0rREwzVE05VzhrcjhyaEZqb2Z5clJObG5kS2c9CiAgIGRlcGVuZGVuY2llczoKICAgICB4bWxkb20gIj0wLjEuMTkiCiAgICAgeHBhdGguanMgIj49MC4wLjMiCiAKLXhtbC1lbmNyeXB0aW9uQH4wLjcuNDoKLSAgdmVyc2lvbiAiMC43LjQiCi0gIHJlc29sdmVkICJodHRwczovL3JlZ2lzdHJ5Lnlhcm5wa2cuY29tL3htbC1lbmNyeXB0aW9uLy0veG1sLWVuY3J5cHRpb24tMC43LjQudGd6IzQyNzkxZWM2NGQ1NTZkMjQ1NWRjYjlkYTBhNTQxMjM2NjVhYzY1YzciCi0gIGludGVncml0eSBzaGExLVFua2V4azFWYlNSVjNMbmFDbFFTTm1Xc1pjYz0KK3htbC1lbmNyeXB0aW9uQF4wLjExLjA6CisgIHZlcnNpb24gIjAuMTEuMiIKKyAgcmVzb2x2ZWQgImh0dHBzOi8vcmVnaXN0cnkueWFybnBrZy5jb20veG1sLWVuY3J5cHRpb24vLS94bWwtZW5jcnlwdGlvbi0wLjExLjIudGd6I2MyMTdmNTUwOTU0N2UzNGI1MDBiODI5ZjJjMGJjYTg1Y2NhNzNhMjEiCisgIGludGVncml0eSBzaGE1MTItalZ2RVM3aTVvdmRPN04rTmpnbmNBMzI2eFlLamhxZUFubnZJZ1JuWTdST0xDZkZxRURMd1AwU3hwLzMwU0hHMEFYUVYxMDQ4VDV5aW5PRnl2d0dGemc9PQogICBkZXBlbmRlbmNpZXM6Ci0gICAgYXN5bmMgIn4wLjIuNyIKLSAgICBlanMgIn4wLjguMyIKLSAgICBub2RlLWZvcmdlICIwLjIuMjQiCisgICAgYXN5bmMgIl4yLjEuNSIKKyAgICBlanMgIl4yLjUuNiIKKyAgICBub2RlLWZvcmdlICJeMC43LjAiCiAgICAgeG1sZG9tICJ+MC4xLjE1IgotICAgIHhwYXRoICIwLjAuNSIKKyAgICB4cGF0aCAiMC4wLjI3IgogCiB4bWwtbmFtZS12YWxpZGF0b3JAXjMuMC4wOgogICB2ZXJzaW9uICIzLjAuMCIKICAgcmVzb2x2ZWQgImh0dHBzOi8vcmVnaXN0cnkueWFybnBrZy5jb20veG1sLW5hbWUtdmFsaWRhdG9yLy0veG1sLW5hbWUtdmFsaWRhdG9yLTMuMC4wLnRneiM2YWU3M2UwNmRlNGQ4YzZlNDdmOWZiMTgxZjc4ZDY0OGFkNDU3YzZhIgogICBpbnRlZ3JpdHkgc2hhNTEyLUE1Q1VwdHhEc3Z4S0pFVTN5TzZEdVdCU0p6L3FpenF6SktPTUlmVUpIRVRiQncvc0ZhRHhnZDZmeG0xZXdVYU0walo0NDRGYzV2QzVST1l1cmcvNFB3PT0KIAoteG1sMmpzQH4wLjQuMToKK3htbDJqc0BeMC40LjA6CiAgIHZlcnNpb24gIjAuNC4xOSIKICAgcmVzb2x2ZWQgImh0dHBzOi8vcmVnaXN0cnkueWFybnBrZy5jb20veG1sMmpzLy0veG1sMmpzLTAuNC4xOS50Z3ojNjg2YzIwZjIxMzIwOWU5NGFiZjBkMWJjZjFlZmFhMjkxYzc4MjdhNyIKICAgaW50ZWdyaXR5IHNoYTUxMi1lc1puSlpKT2lKUjl3V0tNeXV2U0UxeTZEcTVMQ3VKYW5xaHhzbEgyYnhNNmR1YWhOWitITXBDTGhCUUdaa2JYNnhSZjh4MVkyZUpsZ3QycTNxbzQ5UT09CkBAIC05OTE1LDEyICs5OTE1LDEyIEBAIHhtbDJqc0B+MC40LjE6CiAgICAgc2F4ICI+PTAuNi4wIgogICAgIHhtbGJ1aWxkZXIgIn45LjAuMSIKIAoteG1sYnVpbGRlckB+Mi4xLjA6Ci0gIHZlcnNpb24gIjIuMS4wIgotICByZXNvbHZlZCAiaHR0cHM6Ly9yZWdpc3RyeS55YXJucGtnLmNvbS94bWxidWlsZGVyLy0veG1sYnVpbGRlci0yLjEuMC50Z3ojNmRkYWUzMTY4M2I2ZGYxMjEwMGIyOWZjOGEwZDRmNDYzNDlhYmJlZCIKLSAgaW50ZWdyaXR5IHNoYTEtYmRyakZvTzIzeElRQ3luOGlnMVBSalNhdSswPQoreG1sYnVpbGRlckB+Mi4yLjA6CisgIHZlcnNpb24gIjIuMi4xIgorICByZXNvbHZlZCAiaHR0cHM6Ly9yZWdpc3RyeS55YXJucGtnLmNvbS94bWxidWlsZGVyLy0veG1sYnVpbGRlci0yLjIuMS50Z3ojOTMyNjQzMGYxMzBkODc0MzVkNGM0MDg2NjQzYWEyOTI2ZTEwNWEzMiIKKyAgaW50ZWdyaXR5IHNoYTEta3laRER4TU5oME5kVEVDR1pEcWlrbTRRV2pJPQogICBkZXBlbmRlbmNpZXM6Ci0gICAgdW5kZXJzY29yZSAiPj0xLjUueCIKKyAgICBsb2Rhc2gtbm9kZSAifjIuNC4xIgogCiB4bWxidWlsZGVyQH45LjAuMToKICAgdmVyc2lvbiAiOS4wLjciCkBAIC05OTM3LDcgKzk5MzcsNyBAQCB4bWxkb21APTAuMS4xOToKICAgcmVzb2x2ZWQgImh0dHBzOi8vcmVnaXN0cnkueWFybnBrZy5jb20veG1sZG9tLy0veG1sZG9tLTAuMS4xOS50Z3ojNjMxZmMwNzc3NmVmZDg0MTE4YmYyNTE3MWIzN2VkNGQwNzVhMGFiYyIKICAgaW50ZWdyaXR5IHNoYTEtWXgvQWQzYnYyRUVZdnlVWEd6ZnRUUWRhQ3J3PQogCi14bWxkb21AfjAuMS4xNSwgeG1sZG9tQH4wLjEuMTk6Cit4bWxkb21AXjAuMS4wLCB4bWxkb21AfjAuMS4xNToKICAgdmVyc2lvbiAiMC4xLjI3IgogICByZXNvbHZlZCAiaHR0cHM6Ly9yZWdpc3RyeS55YXJucGtnLmNvbS94bWxkb20vLS94bWxkb20tMC4xLjI3LnRneiNkNTAxZjk3YjNiZGI0MDNhZjhlZjllY2MyMDU3MzE4N2FhZGFjMGU5IgogICBpbnRlZ3JpdHkgc2hhMS0xUUg1ZXp2YlFEcjQ3NTdNSUZjeGg2cmF3T2s9CkBAIC05OTQ3LDEwICs5OTQ3LDEwIEBAIHhwYXRoLmpzQD49MC4wLjM6CiAgIHJlc29sdmVkICJodHRwczovL3JlZ2lzdHJ5Lnlhcm5wa2cuY29tL3hwYXRoLmpzLy0veHBhdGguanMtMS4xLjAudGd6IzM4MTZhNDRlZDRiYjM1MjA5MTA4M2QwMDJhMzgzZGQ1MTA0YTVmZjEiCiAgIGludGVncml0eSBzaGE1MTItamcrcWtmUzRLOEU3OTY1c3FhVWw4bVJuZ1hpS2IzV1pHZk9OZ0UxOHByMDNGVVFpdVNWNkcrRWo0dFM1NUIrcklRU0ZFSXczcGhkVkFRNHBQcU5XZlE9PQogCi14cGF0aEAwLjAuNToKLSAgdmVyc2lvbiAiMC4wLjUiCi0gIHJlc29sdmVkICJodHRwczovL3JlZ2lzdHJ5Lnlhcm5wa2cuY29tL3hwYXRoLy0veHBhdGgtMC4wLjUudGd6IzQ1NDAzNmY2ZWYwZjNkZjVhZjVkNGJhNGExMTlmYjc1Njc0YjNlNmMiCi0gIGludGVncml0eSBzaGExLVJVQTI5dThQUGZXdlhVdWtvUm43ZFdkTFBtdz0KK3hwYXRoQDAuMC4yNzoKKyAgdmVyc2lvbiAiMC4wLjI3IgorICByZXNvbHZlZCAiaHR0cHM6Ly9yZWdpc3RyeS55YXJucGtnLmNvbS94cGF0aC8tL3hwYXRoLTAuMC4yNy50Z3ojZGQzNDIxZmJkY2M1NjQ2YWMzMmM0ODUzMWI0ZDdlOWQwYzJjZmE5MiIKKyAgaW50ZWdyaXR5IHNoYTUxMi1mZzAzV1J4dGtDVjZvaENsZVBOQUVDWXNtcEtLVHY1TDh5L1gzRG4xaFFyZWMzUE94MmpIWi8wUDJxUTZIdnNyVTFCbWVxWGNvZjNOR0d1ZUc2THh3UT09CiAKIHhyZWdleHBANC4wLjA6CiAgIHZlcnNpb24gIjQuMC4wIgo="
    }
  ],
-  "remediations": [],
  "dependency_files": [
    {
      "path": "yarn.lock",
@@ -1298,6 +1396,12 @@
          },
          "version": "1.0.0"
        },
+        {
+          "package": {
+            "name": "async"
+          },
+          "version": "0.2.10"
+        },
        {
          "package": {
            "name": "async"
@@ -2318,6 +2422,12 @@
          },
          "version": "0.1.4"
        },
+        {
+          "package": {
+            "name": "debug"
+          },
+          "version": "1.0.5"
+        },
        {
          "package": {
            "name": "debug"
@@ -2612,6 +2722,12 @@
          },
          "version": "1.1.1"
        },
+        {
+          "package": {
+            "name": "ejs"
+          },
+          "version": "0.8.8"
+        },
        {
          "package": {
            "name": "electron-to-chromium"
@@ -4898,6 +5014,12 @@
          },
          "version": "2.3.2"
        },
+        {
+          "package": {
+            "name": "node-forge"
+          },
+          "version": "0.2.24"
+        },
        {
          "package": {
            "name": "node-forge"
@@ -6506,6 +6628,12 @@
          },
          "version": "2.1.2"
        },
+        {
+          "package": {
+            "name": "saml2-js"
+          },
+          "version": "1.8.1"
+        },
        {
          "package": {
            "name": "sane"
@@ -7244,6 +7372,18 @@
          },
          "version": "3.5.6"
        },
+        {
+          "package": {
+            "name": "underscore"
+          },
+          "version": "1.6.0"
+        },
+        {
+          "package": {
+            "name": "underscore"
+          },
+          "version": "1.9.1"
+        },
        {
          "package": {
            "name": "unicode-canonical-property-names-ecmascript"
@@ -7778,18 +7918,72 @@
          },
          "version": "0.1.0"
        },
+        {
+          "package": {
+            "name": "xml-crypto"
+          },
+          "version": "0.8.5"
+        },
+        {
+          "package": {
+            "name": "xml-encryption"
+          },
+          "version": "0.7.4"
+        },
        {
          "package": {
            "name": "xml-name-validator"
          },
          "version": "3.0.0"
        },
+        {
+          "package": {
+            "name": "xml2js"
+          },
+          "version": "0.4.19"
+        },
+        {
+          "package": {
+            "name": "xmlbuilder"
+          },
+          "version": "2.1.0"
+        },
+        {
+          "package": {
+            "name": "xmlbuilder"
+          },
+          "version": "9.0.7"
+        },
        {
          "package": {
            "name": "xmlchars"
          },
          "version": "1.3.1"
        },
+        {
+          "package": {
+            "name": "xmldom"
+          },
+          "version": "0.1.19"
+        },
+        {
+          "package": {
+            "name": "xmldom"
+          },
+          "version": "0.1.27"
+        },
+        {
+          "package": {
+            "name": "xpath"
+          },
+          "version": "0.0.5"
+        },
+        {
+          "package": {
+            "name": "xpath.js"
+          },
+          "version": "1.1.0"
+        },
        {
          "package": {
            "name": "xregexp"

--- a/qa/qa/ee/fixtures/secure_premade_reports/yarn.lock
+++ b/qa/qa/ee/fixtures/secure_premade_reports/yarn.lock
--- a/qa/qa/ee/page/merge_request/show.rb
+++ b/qa/qa/ee/page/merge_request/show.rb
@@ -41,6 +41,14 @@ module QA
                element :vulnerability_report_grouped
              end

+              view 'app/assets/javascripts/reports/components/report_section.vue' do
+                element :expand_report_button
+              end
+
+              view 'ee/app/assets/javascripts/vue_shared/security_reports/components/modal_footer.vue' do
+                element :resolve_split_button
+              end
+
              def start_review
                click_element :start_review
              end
@@ -78,6 +86,22 @@ module QA
                end
              end

+              def expand_vulnerability_report
+                click_element :expand_report_button
+              end
+
+              def click_vulnerability(name)
+                within_element :vulnerability_report_grouped do
+                  click_on name
+                end
+              end
+
+              def resolve_vulnerability_with_mr(name)
+                expand_vulnerability_report
+                click_vulnerability(name)
+                click_element :resolve_split_button
+              end
+
              def has_vulnerability_report?(timeout: 60)
                wait(reload: true, max: timeout, interval: 1) do
                  finished_loading?

--- a/qa/qa/specs/features/ee/browser_ui/secure/create_merge_request_with_secure_spec.rb
+++ b/qa/qa/specs/features/ee/browser_ui/secure/create_merge_request_with_secure_spec.rb
@@ -51,7 +51,17 @@ module QA
      it 'displays the Security report in the merge request' do
        Page::MergeRequest::Show.perform do |mergerequest|
          expect(mergerequest).to have_vulnerability_report(timeout: 60)
-          expect(mergerequest).to have_detected_vulnerability_count_of "2"
+          expect(mergerequest).to have_detected_vulnerability_count_of "4"
+        end
+      end
+
+      it 'can create an auto-remediation MR' do
+        Page::MergeRequest::Show.perform do |mergerequest|
+          vuln_name = "Authentication bypass via incorrect DOM traversal and canonicalization in saml2-js"
+
+          expect(mergerequest).to have_vulnerability_report(timeout: 60)
+          mergerequest.resolve_vulnerability_with_mr vuln_name
+          expect(mergerequest).to have_title vuln_name
        end
      end
    end

--- a/qa/qa/specs/features/ee/browser_ui/secure/security_reports_spec.rb
+++ b/qa/qa/specs/features/ee/browser_ui/secure/security_reports_spec.rb
 # frozen_string_literal: true

 require 'pathname'
+NUMBER_OF_DEPENDENCIES_IN_FIXTURE = 1309

 module QA
  context 'Secure', :docker do
@@ -57,7 +58,7 @@ module QA
        Page::Project::Pipeline::Show.perform do |pipeline|
          pipeline.click_on_security
          expect(pipeline).to have_dependency_report
-          expect(pipeline).to have_content("Dependency scanning detected 2")
+          expect(pipeline).to have_content("Dependency scanning detected 4")
          pipeline.expand_dependency_report
          expect(pipeline).to have_content("jQuery before 3.4.0")
        end
@@ -87,7 +88,7 @@ module QA
        Page::Project::Menu.perform(&:click_on_dependency_list)

        EE::Page::Project::Secure::DependencyList.perform do |page|
-          expect(page).to have_dependency_count_of "1293"
+          expect(page).to have_dependency_count_of NUMBER_OF_DEPENDENCIES_IN_FIXTURE
        end
      end
    end