Merge branch '196723-standalone-vulnerability-list' into 'master'

Creates the standalone vulnerability list page See merge request gitlab-org/gitlab!23438

Merge branch '196723-standalone-vulnerability-list' into 'master'
Creates the standalone vulnerability list page See merge request gitlab-org/gitlab!23438
c4d4ed57 · Natalia Tepluhina · 4d216218 · edb35d13 · c4d4ed57 · c4d4ed57
Commit c4d4ed57 authored Feb 07, 2020 by Natalia Tepluhina
11 changed files
--- a/ee/app/controllers/projects/security/vulnerabilities_controller.rb
+++ b/ee/app/controllers/projects/security/vulnerabilities_controller.rb
+# frozen_string_literal: true
+
+module Projects
+  module Security
+    class VulnerabilitiesController < Projects::ApplicationController
+      include SecurityDashboardsPermissions
+
+      alias_method :vulnerable, :project
+
+      def index
+        return render_404 unless Feature.enabled?(:first_class_vulnerabilities, project)
+
+        @vulnerabilities = project.vulnerabilities.page(params[:page])
+      end
+    end
+  end
+end
--- a/ee/app/helpers/ee/gitlab_routing_helper.rb
+++ b/ee/app/helpers/ee/gitlab_routing_helper.rb
@@ -39,6 +39,10 @@ module EE
      project_settings_ci_cd_path(project, anchor: 'js-license-management')
    end

+    def vulnerability_path(entity, *args)
+      project_security_dashboard_path(entity.project, entity, *args)
+    end
+
    def self.url_helper(route_name)
      define_method("#{route_name}_url") do |*args|
        path = public_send(:"#{route_name}_path", *args) # rubocop:disable GitlabSecurity/PublicSend

--- a/ee/app/helpers/ee/projects_helper.rb
+++ b/ee/app/helpers/ee/projects_helper.rb
@@ -167,9 +167,10 @@ module EE
    def sidebar_security_paths
      %w[
        projects/security/configuration#show
-        projects/security/dashboard#show
-        projects/dependencies#show
-        projects/licenses#show
+        projects/security/dashboard#index
+        projects/security/vulnerabilities#index
+        projects/dependencies#index
+        projects/licenses#index
        projects/threat_monitoring#show
      ]
    end

--- a/ee/app/views/layouts/nav/sidebar/_project_security_link.html.haml
+++ b/ee/app/views/layouts/nav/sidebar/_project_security_link.html.haml
@@ -16,19 +16,23 @@
            = _('Security & Compliance')

      %li.divider.fly-out-top-item
-
      - if project_nav_tab?(:security)
-        = nav_link(path: 'projects/security/dashboard#show') do
+        = nav_link(path: 'projects/security/dashboard#index') do
          = link_to project_security_dashboard_index_path(@project), title: _('Security Dashboard') do
            %span= _('Security Dashboard')

+      - if project_nav_tab?(:security) && Feature.enabled?(:first_class_vulnerabilities, @project)
+        = nav_link(path: 'projects/security/vulnerabilities#index') do
+          = link_to project_security_vulnerabilities_path(@project), title: _('Vulnerability List') do
+            %span= _('Vulnerability List')
+
      - if project_nav_tab?(:dependencies)
        = nav_link(path: 'projects/dependencies#index') do
          = link_to project_dependencies_path(@project), title: _('Dependency List'), data: { qa_selector: 'dependency_list_link' } do
            %span= _('Dependency List')

      - if project_nav_tab?(:licenses)
-        = nav_link(path: 'projects/licenses#show') do
+        = nav_link(path: 'projects/licenses#index') do
          = link_to project_licenses_path(@project), title: _('License Compliance'), data: { qa_selector: 'licenses_list_link' } do
            %span= _('License Compliance')


--- a/ee/app/views/projects/security/dashboard/list.html.haml
+++ b/ee/app/views/projects/security/dashboard/list.html.haml
- @content_class = "limit-container-width" unless fluid_layout
-# - add_to_breadcrumbs _("Security Dashboard"), project_security_dashboard_index_path(@project)
- breadcrumb_title "Vulnerability list"
- page_title "Vulnerability list"
-
-.issue-details.issuable-details
-  .detail-page-description.content-block
-    %h2.title= Vulnerability List
-
--- a/ee/app/views/projects/security/dashboard/show.html.haml
+++ b/ee/app/views/projects/security/dashboard/show.html.haml
@@ -14,7 +14,7 @@
        - pipeline_link = '<a href="%{url}">%{id}</a>'.html_safe % { url: pipeline_url(@pipeline), id: @pipeline.id }
        = _('Detected %{timeago} in pipeline %{pipeline_link}').html_safe % { pipeline_link: pipeline_link, timeago: timeago }
    - else
-      %spa#js-vulnerability-created
+      %span#js-vulnerability-created
        = time_ago_with_tooltip(@vulnerability.created_at)

 .issue-details.issuable-details

--- a/ee/app/views/projects/security/vulnerabilities/index.html.haml
+++ b/ee/app/views/projects/security/vulnerabilities/index.html.haml
+- add_to_breadcrumbs _("Security Dashboard"), project_security_dashboard_index_path(@project)
+- breadcrumb_title _("Vulnerabilities")
+- page_title _("Vulnerabilities")
+
+.issue-details.issuable-details
+  %h2.title= _("Vulnerabilities")
+
+  %table.table.b-table.b-table-stacked-sm.gl-table.vulnerabilities-list{ "aria-colcount" => "3", :role => "table" }
+    - if @vulnerabilities.blank?
+      %tbody{ :role => "rowgroup" }
+        %tr.b-table-empty-row{ :role => "row" }
+          %td{ :role => "cell" }
+            .empty-state
+              .svg-250.svg-content
+                = image_tag 'illustrations/security-dashboard-empty-state.svg', alt: _("No vulnerabilities found for this project")
+              .text-content
+                %h4.center= _("No vulnerabilities found for this project")
+                %p= _("While it's rare to have no vulnerabilities for your project, it can happen. In any event, we ask that you double check your settings to make sure you've set up your dashboard correctly.")
+
+    - else
+      %thead{ :role => "rowgroup" }
+        %tr{ :role => "row" }
+          %th.gl-w-64{ "aria-colindex" => "1", :role => "columnheader", :scope => "col" }= s_("Vulnerability|Status")
+          %th.gl-w-64{ "aria-colindex" => "2", :role => "columnheader", :scope => "col" }= s_("Vulnerability|Severity")
+          %th{ "aria-colindex" => "3", :role => "columnheader", :scope => "col" }= _("Description")
+      %tbody{ :role => "rowgroup" }
+        - @vulnerabilities.each do |vulnerability|
+          %tr.js-vulnerability{ :role => "row" }
+            %td{ "aria-colindex" => "1", :role => "cell", "data-label" => s_("Vulnerability|Status") }
+              .text-capitalize= vulnerability.state
+            %td{ "aria-colindex" => "2", :role => "cell", "data-label" => s_("Vulnerability|Severity") }
+              .text-nowrap
+                - if vulnerability.severity === 'critical'
+                  = sprite_icon("severity-critical", size: 12, css_class: "align-middle text-danger-800")
+                - elsif vulnerability.severity === 'high'
+                  = sprite_icon("severity-high", size: 12, css_class: "align-middle text-danger-600")
+                - elsif vulnerability.severity === 'medium'
+                  = sprite_icon("severity-medium", size: 12, css_class: "align-middle text-warning-400")
+                - elsif vulnerability.severity === 'low'
+                  = sprite_icon("severity-low", size: 12, css_class: "align-middle text-warning-300")
+                - elsif vulnerability.severity === 'info'
+                  = sprite_icon("severity-info", size: 12, css_class: "align-middle text-primary-400")
+                - else
+                  = sprite_icon("severity-unknown", size: 12, css_class: "align-middle text-secondary-400")
+                %span.align-middle.ml-1.text-capitalize= vulnerability.severity
+            %td{ "aria-colindex" => "2", :role => "cell", "data-label" => _("Description") }
+              %div
+                = link_to vulnerability.title, vulnerability_path(vulnerability), :class => "text-body"
+                - if vulnerability.finding
+                  %br
+                  %span.text-muted.small= vulnerability.finding.location["file"]
+
+  = paginate @vulnerabilities, theme: "gitlab"
--- a/ee/changelogs/unreleased/196723-standalone-vulnerability-list.yml
+++ b/ee/changelogs/unreleased/196723-standalone-vulnerability-list.yml
+---
+title: Creates the standalone vulnerability list page
+merge_request: 23438
+author:
+type: added
--- a/ee/config/routes/project.rb
+++ b/ee/config/routes/project.rb
@@ -87,6 +87,8 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
              get :summary
            end
          end
+
+          resources :vulnerabilities, only: [:index]
        end

        namespace :analytics do

--- a/ee/spec/controllers/projects/security/vulnerabilities_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/vulnerabilities_controller_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Projects::Security::VulnerabilitiesController do
+  let_it_be(:group)   { create(:group) }
+  let_it_be(:project) { create(:project, :repository, :public, namespace: group) }
+  let_it_be(:user)    { create(:user) }
+
+  it_behaves_like SecurityDashboardsPermissions do
+    let(:vulnerable) { project }
+
+    let(:security_dashboard_action) do
+      get :index, params: { namespace_id: project.namespace, project_id: project }
+    end
+  end
+
+  before do
+    group.add_developer(user)
+    stub_licensed_features(security_dashboard: true)
+    allow(Kaminari.config).to receive(:default_per_page).and_return(1)
+  end
+
+  describe 'GET #index' do
+    render_views
+
+    def show_vulnerability_list(current_user = user)
+      sign_in(current_user)
+      get :index, params: { namespace_id: project.namespace, project_id: project }
+    end
+
+    context "when we have vulnerabilities" do
+      2.times do
+        let_it_be(:vulnerability) { create(:vulnerability, project: project) }
+        let_it_be(:finding) { create(:vulnerabilities_occurrence, vulnerability: vulnerability) }
+      end
+
+      it 'renders the vulnerability list' do
+        show_vulnerability_list
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(response).to render_template(:index)
+        expect(response.body).to have_css(".vulnerabilities-list")
+      end
+
+      it 'renders the first vulnerability' do
+        show_vulnerability_list
+
+        expect(response.body).to have_css(".js-vulnerability", count: 1)
+      end
+
+      it 'renders the pagination' do
+        show_vulnerability_list
+
+        expect(response.body).to have_css(".gl-pagination")
+      end
+    end
+
+    context "when we have no vulnerabilities" do
+      it 'renders the empty state' do
+        show_vulnerability_list
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(response.body).to have_css('.empty-state')
+      end
+    end
+
+    context 'when the feature flag is disabled' do
+      before do
+        stub_feature_flags(first_class_vulnerabilities: false)
+      end
+
+      it 'renders the 404 page' do
+        show_vulnerability_list
+
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+  end
+end
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -21291,6 +21291,9 @@ msgstr ""
 msgid "Vulnerabilities over time"
 msgstr ""

+msgid "Vulnerability List"
+msgstr ""
+
 msgid "Vulnerability-Check"
 msgstr ""

@@ -21336,6 +21339,9 @@ msgstr ""
 msgid "Vulnerability|Severity"
 msgstr ""

+msgid "Vulnerability|Status"
+msgstr ""
+
 msgid "WIP"
 msgstr ""