Commit da111e74 authored by Tetiana Chupryna's avatar Tetiana Chupryna Committed by Kamil Trzciński

Show DAST in Group Security Dashboard Back-End

parent edaa8a5f
...@@ -34,14 +34,16 @@ each one separately. ...@@ -34,14 +34,16 @@ each one separately.
The group security dashboard supports [SAST](../../project/merge_requests/sast.md), The group security dashboard supports [SAST](../../project/merge_requests/sast.md),
[Dependency Scanning](../../project/merge_requests/dependency_scanning.md), [Dependency Scanning](../../project/merge_requests/dependency_scanning.md),
and [Container Scanning](../../project/merge_requests/container_scanning.md). [Container Scanning](../../project/merge_requests/container_scanning.md),
and [DAST](../../project/merge_requests/dast.md).
## Requirements ## Requirements
To use the group security dashboard: To use the group security dashboard:
1. At least one project inside a group must be configured with 1. At least one project inside a group must be configured with
[Static Application Security Testing](../../project/merge_requests/sast.md), or [Dependency Scanning](../../project/merge_requests/dependency_scanning.md). [Static Application Security Testing](../../project/merge_requests/sast.md), or [Dependency Scanning](../../project/merge_requests/dependency_scanning.md),
or [Container Scanning](../../project/merge_requests/container_scanning.md), or [Dynamic Application Security Testing](../../project/merge_requests/dast.md).
2. The configured jobs must use the [new `reports` syntax](../../../ci/yaml/README.md#artifactsreports) (see an [example job](../../../ci/examples/sast.md)). 2. The configured jobs must use the [new `reports` syntax](../../../ci/yaml/README.md#artifactsreports) (see an [example job](../../../ci/examples/sast.md)).
3. [GitLab Runner](https://docs.gitlab.com/runner/) 11.5 or above must be used to execute the jobs. 3. [GitLab Runner](https://docs.gitlab.com/runner/) 11.5 or above must be used to execute the jobs.
......
...@@ -3,11 +3,6 @@ ...@@ -3,11 +3,6 @@
class Groups::Security::VulnerabilitiesController < Groups::Security::ApplicationController class Groups::Security::VulnerabilitiesController < Groups::Security::ApplicationController
HISTORY_RANGE = 3.months HISTORY_RANGE = 3.months
# NOTE: we need this scope because DAST vulnerabilities
# shouldn't appear in the Group Dashboard in the same as we're starting
# to save them in the database
DEFAULT_REPORT_SCOPE = [:sast, :dependency_scanning, :container_scanning].freeze
def index def index
vulnerabilities = found_vulnerabilities.ordered.page(params[:page]) vulnerabilities = found_vulnerabilities.ordered.page(params[:page])
...@@ -44,10 +39,8 @@ class Groups::Security::VulnerabilitiesController < Groups::Security::Applicatio ...@@ -44,10 +39,8 @@ class Groups::Security::VulnerabilitiesController < Groups::Security::Applicatio
private private
def filter_params def filter_params
filter_params = params.permit(report_type: [], project_id: [], severity: []) params.permit(report_type: [], project_id: [], severity: [])
.merge(hide_dismissed: Gitlab::Utils.to_boolean(params[:hide_dismissed])) .merge(hide_dismissed: Gitlab::Utils.to_boolean(params[:hide_dismissed]))
filter_params[:report_type] ||= DEFAULT_REPORT_SCOPE
filter_params
end end
def found_vulnerabilities(collection = :latest) def found_vulnerabilities(collection = :latest)
......
...@@ -65,7 +65,7 @@ module EE ...@@ -65,7 +65,7 @@ module EE
::Feature.disabled?(:parse_container_scanning_reports, default_enabled: true) ::Feature.disabled?(:parse_container_scanning_reports, default_enabled: true)
next if file_type == "dast" && next if file_type == "dast" &&
::Feature.disabled?(:parse_dast_reports, default_enabled: false) ::Feature.disabled?(:parse_dast_reports, default_enabled: true)
security_reports.get_report(file_type).tap do |security_report| security_reports.get_report(file_type).tap do |security_report|
next unless project.feature_available?(LICENSED_PARSER_FEATURES.fetch(file_type)) next unless project.feature_available?(LICENSED_PARSER_FEATURES.fetch(file_type))
......
---
title: Show DAST in Group Security Dashboard Back-End
merge_request: 10277
author:
type: added
...@@ -108,7 +108,6 @@ describe Groups::Security::VulnerabilitiesController do ...@@ -108,7 +108,6 @@ describe Groups::Security::VulnerabilitiesController do
context 'with multiple report types' do context 'with multiple report types' do
before do before do
projects.each do |project| projects.each do |project|
create_vulnerabilities(1, project_guest, { report_type: :dast })
create_vulnerabilities(2, project_guest, { report_type: :sast }) create_vulnerabilities(2, project_guest, { report_type: :sast })
create_vulnerabilities(1, project_dev, { report_type: :dependency_scanning }) create_vulnerabilities(1, project_dev, { report_type: :dependency_scanning })
end end
...@@ -219,14 +218,14 @@ describe Groups::Security::VulnerabilitiesController do ...@@ -219,14 +218,14 @@ describe Groups::Security::VulnerabilitiesController do
group.add_developer(user) group.add_developer(user)
end end
it 'returns vulnerabilities counts for :sast and :dependency_scanning' do it 'returns vulnerabilities counts for all report types' do
subject subject
expect(response).to have_gitlab_http_status(200) expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an(Hash) expect(json_response).to be_an(Hash)
expect(json_response['high']).to eq(3) expect(json_response['high']).to eq(3)
expect(json_response['low']).to eq(3) expect(json_response['low']).to eq(4)
expect(json_response['medium']).to eq(0) expect(json_response['medium']).to eq(1)
expect(response).to match_response_schema('vulnerabilities/summary', dir: 'ee') expect(response).to match_response_schema('vulnerabilities/summary', dir: 'ee')
end end
...@@ -323,11 +322,11 @@ describe Groups::Security::VulnerabilitiesController do ...@@ -323,11 +322,11 @@ describe Groups::Security::VulnerabilitiesController do
expect(response).to have_gitlab_http_status(200) expect(response).to have_gitlab_http_status(200)
expect(json_response).to be_an(Hash) expect(json_response).to be_an(Hash)
expect(json_response['total']).to eq({ '2018-11-10' => 5, '2018-11-12' => 3 }) expect(json_response['total']).to eq({ '2018-11-10' => 5, '2018-11-12' => 5 })
expect(json_response['critical']).to eq({ '2018-11-10' => 1 }) expect(json_response['critical']).to eq({ '2018-11-10' => 1 })
expect(json_response['high']).to eq({ '2018-11-10' => 2, '2018-11-12' => 1 }) expect(json_response['high']).to eq({ '2018-11-10' => 2, '2018-11-12' => 1 })
expect(json_response['medium']).to eq({}) expect(json_response['medium']).to eq({ '2018-11-12' => 1 })
expect(json_response['low']).to eq({ '2018-11-10' => 2, '2018-11-12' => 2 }) expect(json_response['low']).to eq({ '2018-11-10' => 2, '2018-11-12' => 3 })
expect(response).to match_response_schema('vulnerabilities/history', dir: 'ee') expect(response).to match_response_schema('vulnerabilities/history', dir: 'ee')
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment