Commit 12f11c83 authored by Aleksandr Soborov's avatar Aleksandr Soborov Committed by Walmyr Lima e Silva Filho

Added E2E tests for DAST reports

Additionally added a DAST report to the fixture

and revamped merge request test flow to wait for DAST.
parent d2750875
include: include:
template: Dependency-Scanning.gitlab-ci.yml template: Dependency-Scanning.gitlab-ci.yml
template: Container-Scanning.gitlab-ci.yml template: Container-Scanning.gitlab-ci.yml
template: SAST.gitlab-ci.yml
template: DAST.gitlab-ci.yml
dependency_scanning: dependency_scanning:
tags: tags:
...@@ -29,8 +31,20 @@ sast: ...@@ -29,8 +31,20 @@ sast:
tags: tags:
- qa - qa
- test - test
only: null # Template defaults to feature branches only
script: script:
- echo "Skipped" - echo "Skipped"
artifacts: artifacts:
reports: reports:
sast: gl-sast-report.json sast: gl-sast-report.json
dast:
tags:
- qa
- test
only: null # Template defaults to feature branches only
script:
- echo "Skipped"
artifacts:
reports:
dast: gl-dast-report.json
This diff is collapsed.
...@@ -5,7 +5,7 @@ require 'pathname' ...@@ -5,7 +5,7 @@ require 'pathname'
module QA module QA
context 'Secure', :docker do context 'Secure', :docker do
describe 'Security Reports in a Merge Request' do describe 'Security Reports in a Merge Request' do
let(:total_vuln_count) { 45 } let(:total_vuln_count) { 49 }
after do after do
Service::Runner.new(@executor).remove! Service::Runner.new(@executor).remove!
...@@ -39,8 +39,7 @@ module QA ...@@ -39,8 +39,7 @@ module QA
push.branch_name = 'secure-mr' push.branch_name = 'secure-mr'
end end
# Fabricate via browser UI to avoid independent navigation merge_request = Resource::MergeRequest.fabricate_via_api! do |mr|
Resource::MergeRequest.fabricate_via_browser_ui! do |mr|
mr.project = @project mr.project = @project
mr.source_branch = 'secure-mr' mr.source_branch = 'secure-mr'
mr.target_branch = 'master' mr.target_branch = 'master'
...@@ -48,6 +47,13 @@ module QA ...@@ -48,6 +47,13 @@ module QA
mr.target = 'master' mr.target = 'master'
mr.target_new_branch = false mr.target_new_branch = false
end end
@project.visit!
Page::Project::Menu.perform(&:click_ci_cd_pipelines)
Page::Project::Pipeline::Index.perform(&:click_on_latest_pipeline)
wait_for_job "dast"
merge_request.visit!
end end
it 'displays the Security report in the merge request' do it 'displays the Security report in the merge request' do
...@@ -66,6 +72,15 @@ module QA ...@@ -66,6 +72,15 @@ module QA
expect(mergerequest).to have_title vuln_name expect(mergerequest).to have_title vuln_name
end end
end end
def wait_for_job(job_name)
Page::Project::Pipeline::Show.perform do |pipeline|
pipeline.click_job(job_name)
end
Page::Project::Job::Show.perform do |job|
expect(job).to be_successful(timeout: 600)
end
end
end end
end end
end end
...@@ -5,13 +5,15 @@ require 'pathname' ...@@ -5,13 +5,15 @@ require 'pathname'
module QA module QA
context 'Secure', :docker do context 'Secure', :docker do
let(:number_of_dependencies_in_fixture) { 1309 } let(:number_of_dependencies_in_fixture) { 1309 }
let(:total_vuln_count) { 12 } let(:total_vuln_count) { 52 }
let(:dependency_scan_vuln_count) { 4 } let(:dependency_scan_vuln_count) { 4 }
let(:dependency_scan_example_vuln) { 'jQuery before 3.4.0' } let(:dependency_scan_example_vuln) { 'jQuery before 3.4.0' }
let(:container_scan_vuln_count) { 8 } let(:container_scan_vuln_count) { 8 }
let(:container_scan_example_vuln) { 'CVE-2017-18269 in glibc' } let(:container_scan_example_vuln) { 'CVE-2017-18269 in glibc' }
let(:sast_scan_vuln_count) { 33 } let(:sast_scan_vuln_count) { 33 }
let(:sast_scan_example_vuln) { 'Cipher with no integrity' } let(:sast_scan_example_vuln) { 'Cipher with no integrity' }
let(:dast_scan_vuln_count) { 7 }
let(:dast_scan_example_vuln) { 'Cookie Without SameSite Attribute' }
describe 'Security Reports' do describe 'Security Reports' do
after do after do
...@@ -47,7 +49,7 @@ module QA ...@@ -47,7 +49,7 @@ module QA
Page::Project::Menu.perform(&:click_ci_cd_pipelines) Page::Project::Menu.perform(&:click_ci_cd_pipelines)
Page::Project::Pipeline::Index.perform(&:click_on_latest_pipeline) Page::Project::Pipeline::Index.perform(&:click_on_latest_pipeline)
wait_for_job "dependency_scanning" wait_for_job "dast"
end end
it 'displays security reports in the pipeline' do it 'displays security reports in the pipeline' do
...@@ -57,6 +59,8 @@ module QA ...@@ -57,6 +59,8 @@ module QA
Page::Project::Pipeline::Show.perform do |pipeline| Page::Project::Pipeline::Show.perform do |pipeline|
pipeline.click_on_security pipeline.click_on_security
expect(pipeline).to have_vulnerability_count_of total_vuln_count
filter_report_and_perform(pipeline, "Dependency Scanning") do filter_report_and_perform(pipeline, "Dependency Scanning") do
expect(pipeline).to have_vulnerability_count_of dependency_scan_vuln_count expect(pipeline).to have_vulnerability_count_of dependency_scan_vuln_count
expect(pipeline).to have_content dependency_scan_example_vuln expect(pipeline).to have_content dependency_scan_example_vuln
...@@ -71,6 +75,11 @@ module QA ...@@ -71,6 +75,11 @@ module QA
expect(pipeline).to have_vulnerability_count_of sast_scan_vuln_count expect(pipeline).to have_vulnerability_count_of sast_scan_vuln_count
expect(pipeline).to have_content sast_scan_example_vuln expect(pipeline).to have_content sast_scan_example_vuln
end end
filter_report_and_perform(pipeline, "DAST") do
expect(pipeline).to have_vulnerability_count_of dast_scan_vuln_count
expect(pipeline).to have_content dast_scan_example_vuln
end
end end
end end
...@@ -90,6 +99,10 @@ module QA ...@@ -90,6 +99,10 @@ module QA
filter_report_and_perform(dashboard, "SAST") do filter_report_and_perform(dashboard, "SAST") do
expect(dashboard).to have_low_vulnerability_count_of 17 expect(dashboard).to have_low_vulnerability_count_of 17
end end
filter_report_and_perform(dashboard, "DAST") do
expect(dashboard).to have_low_vulnerability_count_of 6
end
end end
end end
...@@ -114,6 +127,10 @@ module QA ...@@ -114,6 +127,10 @@ module QA
filter_report_and_perform(dashboard, "SAST") do filter_report_and_perform(dashboard, "SAST") do
expect(dashboard).to have_content sast_scan_example_vuln expect(dashboard).to have_content sast_scan_example_vuln
end end
filter_report_and_perform(dashboard, "DAST") do
expect(dashboard).to have_content dast_scan_example_vuln
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment