Commit 12f11c83 authored by Aleksandr Soborov's avatar Aleksandr Soborov Committed by Walmyr Lima e Silva Filho

Added E2E tests for DAST reports

Additionally added a DAST report to the fixture

and revamped merge request test flow to wait for DAST.
parent d2750875
include:
template: Dependency-Scanning.gitlab-ci.yml
template: Container-Scanning.gitlab-ci.yml
template: SAST.gitlab-ci.yml
template: DAST.gitlab-ci.yml
dependency_scanning:
tags:
......@@ -29,8 +31,20 @@ sast:
tags:
- qa
- test
only: null # Template defaults to feature branches only
script:
- echo "Skipped"
artifacts:
reports:
sast: gl-sast-report.json
dast:
tags:
- qa
- test
only: null # Template defaults to feature branches only
script:
- echo "Skipped"
artifacts:
reports:
dast: gl-dast-report.json
This diff is collapsed.
......@@ -5,7 +5,7 @@ require 'pathname'
module QA
context 'Secure', :docker do
describe 'Security Reports in a Merge Request' do
let(:total_vuln_count) { 45 }
let(:total_vuln_count) { 49 }
after do
Service::Runner.new(@executor).remove!
......@@ -39,8 +39,7 @@ module QA
push.branch_name = 'secure-mr'
end
# Fabricate via browser UI to avoid independent navigation
Resource::MergeRequest.fabricate_via_browser_ui! do |mr|
merge_request = Resource::MergeRequest.fabricate_via_api! do |mr|
mr.project = @project
mr.source_branch = 'secure-mr'
mr.target_branch = 'master'
......@@ -48,6 +47,13 @@ module QA
mr.target = 'master'
mr.target_new_branch = false
end
@project.visit!
Page::Project::Menu.perform(&:click_ci_cd_pipelines)
Page::Project::Pipeline::Index.perform(&:click_on_latest_pipeline)
wait_for_job "dast"
merge_request.visit!
end
it 'displays the Security report in the merge request' do
......@@ -66,6 +72,15 @@ module QA
expect(mergerequest).to have_title vuln_name
end
end
def wait_for_job(job_name)
Page::Project::Pipeline::Show.perform do |pipeline|
pipeline.click_job(job_name)
end
Page::Project::Job::Show.perform do |job|
expect(job).to be_successful(timeout: 600)
end
end
end
end
end
......@@ -5,13 +5,15 @@ require 'pathname'
module QA
context 'Secure', :docker do
let(:number_of_dependencies_in_fixture) { 1309 }
let(:total_vuln_count) { 12 }
let(:total_vuln_count) { 52 }
let(:dependency_scan_vuln_count) { 4 }
let(:dependency_scan_example_vuln) { 'jQuery before 3.4.0' }
let(:container_scan_vuln_count) { 8 }
let(:container_scan_example_vuln) { 'CVE-2017-18269 in glibc' }
let(:sast_scan_vuln_count) { 33 }
let(:sast_scan_example_vuln) { 'Cipher with no integrity' }
let(:dast_scan_vuln_count) { 7 }
let(:dast_scan_example_vuln) { 'Cookie Without SameSite Attribute' }
describe 'Security Reports' do
after do
......@@ -47,7 +49,7 @@ module QA
Page::Project::Menu.perform(&:click_ci_cd_pipelines)
Page::Project::Pipeline::Index.perform(&:click_on_latest_pipeline)
wait_for_job "dependency_scanning"
wait_for_job "dast"
end
it 'displays security reports in the pipeline' do
......@@ -57,6 +59,8 @@ module QA
Page::Project::Pipeline::Show.perform do |pipeline|
pipeline.click_on_security
expect(pipeline).to have_vulnerability_count_of total_vuln_count
filter_report_and_perform(pipeline, "Dependency Scanning") do
expect(pipeline).to have_vulnerability_count_of dependency_scan_vuln_count
expect(pipeline).to have_content dependency_scan_example_vuln
......@@ -71,6 +75,11 @@ module QA
expect(pipeline).to have_vulnerability_count_of sast_scan_vuln_count
expect(pipeline).to have_content sast_scan_example_vuln
end
filter_report_and_perform(pipeline, "DAST") do
expect(pipeline).to have_vulnerability_count_of dast_scan_vuln_count
expect(pipeline).to have_content dast_scan_example_vuln
end
end
end
......@@ -90,6 +99,10 @@ module QA
filter_report_and_perform(dashboard, "SAST") do
expect(dashboard).to have_low_vulnerability_count_of 17
end
filter_report_and_perform(dashboard, "DAST") do
expect(dashboard).to have_low_vulnerability_count_of 6
end
end
end
......@@ -114,6 +127,10 @@ module QA
filter_report_and_perform(dashboard, "SAST") do
expect(dashboard).to have_content sast_scan_example_vuln
end
filter_report_and_perform(dashboard, "DAST") do
expect(dashboard).to have_content dast_scan_example_vuln
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment