Commit 12809ca5 authored by Jan Provaznik's avatar Jan Provaznik

Merge branch '280593-corpus-management-configuration' into 'master'

Add Corpus management to security configuration page

See merge request gitlab-org/gitlab!69302
parents e4b30512 bf7b8903
...@@ -10,6 +10,7 @@ import { ...@@ -10,6 +10,7 @@ import {
REPORT_TYPE_CONTAINER_SCANNING, REPORT_TYPE_CONTAINER_SCANNING,
REPORT_TYPE_CLUSTER_IMAGE_SCANNING, REPORT_TYPE_CLUSTER_IMAGE_SCANNING,
REPORT_TYPE_COVERAGE_FUZZING, REPORT_TYPE_COVERAGE_FUZZING,
REPORT_TYPE_CORPUS_MANAGEMENT,
REPORT_TYPE_API_FUZZING, REPORT_TYPE_API_FUZZING,
REPORT_TYPE_LICENSE_COMPLIANCE, REPORT_TYPE_LICENSE_COMPLIANCE,
} from '~/vue_shared/security_reports/constants'; } from '~/vue_shared/security_reports/constants';
...@@ -104,6 +105,12 @@ export const COVERAGE_FUZZING_CONFIG_HELP_PATH = helpPagePath( ...@@ -104,6 +105,12 @@ export const COVERAGE_FUZZING_CONFIG_HELP_PATH = helpPagePath(
{ anchor: 'configuration' }, { anchor: 'configuration' },
); );
export const CORPUS_MANAGEMENT_NAME = __('Corpus Management');
export const CORPUS_MANAGEMENT_DESCRIPTION = s__(
'SecurityConfiguration|Manage corpus files used as mutation sources in coverage fuzzing.',
);
export const CORPUS_MANAGEMENT_CONFIG_TEXT = s__('SecurityConfiguration|Manage corpus');
export const API_FUZZING_NAME = __('API Fuzzing'); export const API_FUZZING_NAME = __('API Fuzzing');
export const API_FUZZING_DESCRIPTION = __('Find bugs in your code with API fuzzing.'); export const API_FUZZING_DESCRIPTION = __('Find bugs in your code with API fuzzing.');
export const API_FUZZING_HELP_PATH = helpPagePath('user/application_security/api_fuzzing/index'); export const API_FUZZING_HELP_PATH = helpPagePath('user/application_security/api_fuzzing/index');
...@@ -202,6 +209,14 @@ export const securityFeatures = [ ...@@ -202,6 +209,14 @@ export const securityFeatures = [
helpPath: COVERAGE_FUZZING_HELP_PATH, helpPath: COVERAGE_FUZZING_HELP_PATH,
configurationHelpPath: COVERAGE_FUZZING_CONFIG_HELP_PATH, configurationHelpPath: COVERAGE_FUZZING_CONFIG_HELP_PATH,
type: REPORT_TYPE_COVERAGE_FUZZING, type: REPORT_TYPE_COVERAGE_FUZZING,
secondary: gon?.features?.corpusManagement
? {
type: REPORT_TYPE_CORPUS_MANAGEMENT,
name: CORPUS_MANAGEMENT_NAME,
description: CORPUS_MANAGEMENT_DESCRIPTION,
configurationText: CORPUS_MANAGEMENT_CONFIG_TEXT,
}
: {},
}, },
]; ];
......
...@@ -24,6 +24,7 @@ export const REPORT_TYPE_DEPENDENCY_SCANNING = 'dependency_scanning'; ...@@ -24,6 +24,7 @@ export const REPORT_TYPE_DEPENDENCY_SCANNING = 'dependency_scanning';
export const REPORT_TYPE_CONTAINER_SCANNING = 'container_scanning'; export const REPORT_TYPE_CONTAINER_SCANNING = 'container_scanning';
export const REPORT_TYPE_CLUSTER_IMAGE_SCANNING = 'cluster_image_scanning'; export const REPORT_TYPE_CLUSTER_IMAGE_SCANNING = 'cluster_image_scanning';
export const REPORT_TYPE_COVERAGE_FUZZING = 'coverage_fuzzing'; export const REPORT_TYPE_COVERAGE_FUZZING = 'coverage_fuzzing';
export const REPORT_TYPE_CORPUS_MANAGEMENT = 'corpus_management';
export const REPORT_TYPE_LICENSE_COMPLIANCE = 'license_scanning'; export const REPORT_TYPE_LICENSE_COMPLIANCE = 'license_scanning';
export const REPORT_TYPE_API_FUZZING = 'api_fuzzing'; export const REPORT_TYPE_API_FUZZING = 'api_fuzzing';
......
...@@ -14,6 +14,7 @@ module EE ...@@ -14,6 +14,7 @@ module EE
before_action only: [:show] do before_action only: [:show] do
push_frontend_feature_flag(:security_auto_fix, project, default_enabled: false) push_frontend_feature_flag(:security_auto_fix, project, default_enabled: false)
push_frontend_feature_flag(:corpus_management, project, default_enabled: :yaml)
end end
before_action only: [:auto_fix] do before_action only: [:auto_fix] do
......
...@@ -61,7 +61,8 @@ module Projects ...@@ -61,7 +61,8 @@ module Projects
scan(scan_type, configured: scanner_enabled?(scan_type)) scan(scan_type, configured: scanner_enabled?(scan_type))
end end
# DAST On-demand scans is a static (non job) entry. Add it manually. # These scans are "fake" (non job) entries. Add them manually.
scans << scan(:corpus_management, configured: true)
scans << scan(:dast_profiles, configured: true) scans << scan(:dast_profiles, configured: true)
end end
...@@ -93,7 +94,8 @@ module Projects ...@@ -93,7 +94,8 @@ module Projects
sast: project_security_configuration_sast_path(project), sast: project_security_configuration_sast_path(project),
dast: project_security_configuration_dast_path(project), dast: project_security_configuration_dast_path(project),
dast_profiles: project_security_configuration_dast_scans_path(project), dast_profiles: project_security_configuration_dast_scans_path(project),
api_fuzzing: project_security_configuration_api_fuzzing_path(project) api_fuzzing: project_security_configuration_api_fuzzing_path(project),
corpus_management: (project_security_configuration_corpus_management_path(project) if ::Feature.enabled?(:corpus_management, project, default_enabled: :yaml) && scanner_enabled?(:coverage_fuzzing))
}[type] }[type]
end end
......
...@@ -62,7 +62,7 @@ RSpec.describe Projects::Security::ConfigurationController do ...@@ -62,7 +62,7 @@ RSpec.describe Projects::Security::ConfigurationController do
it 'responds in json format when requested' do it 'responds in json format when requested' do
get :show, params: { namespace_id: project.namespace, project_id: project, format: :json } get :show, params: { namespace_id: project.namespace, project_id: project, format: :json }
types = %w(sast dast dast_profiles dependency_scanning container_scanning cluster_image_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing) types = %w(sast dast dast_profiles dependency_scanning container_scanning cluster_image_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing corpus_management)
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
expect(json_response['features'].map { |f| f['type'] }).to match_array(types) expect(json_response['features'].map { |f| f['type'] }).to match_array(types)
...@@ -188,6 +188,7 @@ RSpec.describe Projects::Security::ConfigurationController do ...@@ -188,6 +188,7 @@ RSpec.describe Projects::Security::ConfigurationController do
before do before do
stub_feature_flags(security_auto_fix: false) stub_feature_flags(security_auto_fix: false)
stub_feature_flags(corpus_management: false)
request request
end end
......
...@@ -90,7 +90,68 @@ RSpec.describe Projects::Security::ConfigurationPresenter do ...@@ -90,7 +90,68 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
security_scan(:secret_detection, configured: true), security_scan(:secret_detection, configured: true),
security_scan(:coverage_fuzzing, configured: false), security_scan(:coverage_fuzzing, configured: false),
security_scan(:api_fuzzing, configured: false), security_scan(:api_fuzzing, configured: false),
security_scan(:dast_profiles, configured: true) security_scan(:dast_profiles, configured: true),
security_scan(:corpus_management, configured: true)
)
end
end
context "when coverage fuzzing has run in a pipeline with feature flag off" do
before do
stub_feature_flags(corpus_management: false)
pipeline = create(
:ci_pipeline,
:auto_devops_source,
project: project,
ref: project.default_branch,
sha: project.commit.sha
)
create(:ci_build, :coverage_fuzzing, pipeline: pipeline, status: 'success')
end
it 'reports that coverage fuzzing, corpus management, and DAST are configured' do
expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
security_scan(:dast, configured: false),
security_scan(:sast, configured: false),
security_scan(:container_scanning, configured: false),
security_scan(:cluster_image_scanning, configured: false),
security_scan(:dependency_scanning, configured: false),
security_scan(:license_scanning, configured: false),
security_scan(:secret_detection, configured: false),
security_scan(:coverage_fuzzing, configured: true),
security_scan(:api_fuzzing, configured: false),
security_scan(:dast_profiles, configured: true),
security_scan(:corpus_management, configured: true)
)
end
end
context "when coverage fuzzing has run in a pipeline with feature flag on" do
before do
stub_feature_flags(corpus_management: true)
pipeline = create(
:ci_pipeline,
:auto_devops_source,
project: project,
ref: project.default_branch,
sha: project.commit.sha
)
create(:ci_build, :coverage_fuzzing, pipeline: pipeline, status: 'success')
end
it 'reports that coverage fuzzing, corpus management, and DAST are configured' do
expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
security_scan(:dast, configured: false),
security_scan(:sast, configured: false),
security_scan(:container_scanning, configured: false),
security_scan(:cluster_image_scanning, configured: false),
security_scan(:dependency_scanning, configured: false),
security_scan(:license_scanning, configured: false),
security_scan(:secret_detection, configured: false),
security_scan(:coverage_fuzzing, configured: true),
security_scan(:api_fuzzing, configured: false),
security_scan(:dast_profiles, configured: true),
security_scan(:corpus_management, configured: true, configuration_path: project_security_configuration_corpus_management_path(project))
) )
end end
end end
...@@ -115,7 +176,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do ...@@ -115,7 +176,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
security_scan(:secret_detection, configured: false), security_scan(:secret_detection, configured: false),
security_scan(:coverage_fuzzing, configured: false), security_scan(:coverage_fuzzing, configured: false),
security_scan(:api_fuzzing, configured: false), security_scan(:api_fuzzing, configured: false),
security_scan(:dast_profiles, configured: true) security_scan(:dast_profiles, configured: true),
security_scan(:corpus_management, configured: true)
) )
end end
end end
...@@ -147,7 +209,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do ...@@ -147,7 +209,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
security_scan(:license_scanning, configured: false), security_scan(:license_scanning, configured: false),
security_scan(:secret_detection, configured: true), security_scan(:secret_detection, configured: true),
security_scan(:coverage_fuzzing, configured: false), security_scan(:coverage_fuzzing, configured: false),
security_scan(:api_fuzzing, configured: false) security_scan(:api_fuzzing, configured: false),
security_scan(:corpus_management, configured: true)
) )
end end
...@@ -171,7 +234,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do ...@@ -171,7 +234,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
security_scan(:license_scanning, configured: false), security_scan(:license_scanning, configured: false),
security_scan(:secret_detection, configured: false), security_scan(:secret_detection, configured: false),
security_scan(:coverage_fuzzing, configured: false), security_scan(:coverage_fuzzing, configured: false),
security_scan(:api_fuzzing, configured: false) security_scan(:api_fuzzing, configured: false),
security_scan(:corpus_management, configured: true)
) )
end end
...@@ -188,7 +252,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do ...@@ -188,7 +252,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
security_scan(:license_scanning, configured: true), security_scan(:license_scanning, configured: true),
security_scan(:secret_detection, configured: true), security_scan(:secret_detection, configured: true),
security_scan(:coverage_fuzzing, configured: false), security_scan(:coverage_fuzzing, configured: false),
security_scan(:api_fuzzing, configured: false) security_scan(:api_fuzzing, configured: false),
security_scan(:corpus_management, configured: true)
) )
end end
...@@ -241,13 +306,13 @@ RSpec.describe Projects::Security::ConfigurationPresenter do ...@@ -241,13 +306,13 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
end end
end end
def security_scan(type, configured:) def security_scan(type, configured:, configuration_path: nil)
configuration_path = configuration_path(type) path = configuration_path || configuration_path(type)
{ {
"type" => type.to_s, "type" => type.to_s,
"configured" => configured, "configured" => configured,
"configuration_path" => configuration_path, "configuration_path" => path,
"available" => licensed_scan_types.include?(type) "available" => licensed_scan_types.include?(type)
} }
end end
...@@ -257,7 +322,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do ...@@ -257,7 +322,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
dast: project_security_configuration_dast_path(project), dast: project_security_configuration_dast_path(project),
dast_profiles: project_security_configuration_dast_scans_path(project), dast_profiles: project_security_configuration_dast_scans_path(project),
sast: project_security_configuration_sast_path(project), sast: project_security_configuration_sast_path(project),
api_fuzzing: project_security_configuration_api_fuzzing_path(project) api_fuzzing: project_security_configuration_api_fuzzing_path(project),
corpus_management: nil
}[type] }[type]
end end
......
...@@ -9240,6 +9240,9 @@ msgstr "" ...@@ -9240,6 +9240,9 @@ msgstr ""
msgid "Copy value" msgid "Copy value"
msgstr "" msgstr ""
msgid "Corpus Management"
msgstr ""
msgid "Corpus Management|Are you sure you want to delete the corpus?" msgid "Corpus Management|Are you sure you want to delete the corpus?"
msgstr "" msgstr ""
...@@ -29782,6 +29785,12 @@ msgstr "" ...@@ -29782,6 +29785,12 @@ msgstr ""
msgid "SecurityConfiguration|Immediately begin risk analysis and remediation with application security features. Start with SAST and Secret Detection, available to all plans. Upgrade to Ultimate to get all features, including:" msgid "SecurityConfiguration|Immediately begin risk analysis and remediation with application security features. Start with SAST and Secret Detection, available to all plans. Upgrade to Ultimate to get all features, including:"
msgstr "" msgstr ""
msgid "SecurityConfiguration|Manage corpus"
msgstr ""
msgid "SecurityConfiguration|Manage corpus files used as mutation sources in coverage fuzzing."
msgstr ""
msgid "SecurityConfiguration|Manage profiles for use by DAST scans." msgid "SecurityConfiguration|Manage profiles for use by DAST scans."
msgstr "" msgstr ""
......
...@@ -534,6 +534,14 @@ FactoryBot.define do ...@@ -534,6 +534,14 @@ FactoryBot.define do
end end
end end
trait :coverage_fuzzing do
options do
{
artifacts: { reports: { coverage_fuzzing: 'gl-coverage-fuzzing-report.json' } }
}
end
end
trait :license_scanning do trait :license_scanning do
options do options do
{ {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment