Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
18f78a35
Commit
18f78a35
authored
Apr 15, 2021
by
Jannik Lehmann
Committed by
Kerri Miller
Apr 15, 2021
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Remove standalone_vuln_dependency_list Feature Flag [RUN ALL RSPEC] [RUN AS-IF-FOSS]
parent
719ab85d
Changes
14
Hide whitespace changes
Inline
Side-by-side
Showing
14 changed files
with
34 additions
and
144 deletions
+34
-144
doc/user/application_security/dependency_list/img/dependency_list_v12_10.png
...n_security/dependency_list/img/dependency_list_v12_10.png
+0
-0
doc/user/application_security/dependency_list/img/dependency_list_v13_11.png
...n_security/dependency_list/img/dependency_list_v13_11.png
+0
-0
doc/user/application_security/dependency_list/index.md
doc/user/application_security/dependency_list/index.md
+3
-2
ee/app/assets/javascripts/dependencies/components/dependency_vulnerability.vue
...ipts/dependencies/components/dependency_vulnerability.vue
+1
-6
ee/app/controllers/projects/dependencies_controller.rb
ee/app/controllers/projects/dependencies_controller.rb
+0
-4
ee/changelogs/unreleased/jnnkl-remove-standalone-vuln-dependency-list-feature-flag.yml
...l-remove-standalone-vuln-dependency-list-feature-flag.yml
+5
-0
ee/config/feature_flags/development/standalone_vuln_dependency_list.yml
...ure_flags/development/standalone_vuln_dependency_list.yml
+0
-8
ee/lib/gitlab/ci/parsers/security/dependency_list.rb
ee/lib/gitlab/ci/parsers/security/dependency_list.rb
+7
-15
ee/lib/gitlab/ci/parsers/security/formatters/dependency_list.rb
.../gitlab/ci/parsers/security/formatters/dependency_list.rb
+3
-5
ee/spec/frontend/dependencies/components/__snapshots__/dependency_vulnerability_spec.js.snap
...nents/__snapshots__/dependency_vulnerability_spec.js.snap
+3
-3
ee/spec/frontend/dependencies/components/dependency_vulnerability_spec.js
.../dependencies/components/dependency_vulnerability_spec.js
+1
-27
ee/spec/lib/gitlab/ci/parsers/security/dependency_list_spec.rb
...ec/lib/gitlab/ci/parsers/security/dependency_list_spec.rb
+0
-39
ee/spec/lib/gitlab/ci/parsers/security/formatters/dependency_list_spec.rb
...ab/ci/parsers/security/formatters/dependency_list_spec.rb
+10
-28
ee/spec/models/ci/build_spec.rb
ee/spec/models/ci/build_spec.rb
+1
-7
No files found.
doc/user/application_security/dependency_list/img/dependency_list_v12_10.png
deleted
100644 → 0
View file @
719ab85d
75 KB
doc/user/application_security/dependency_list/img/dependency_list_v13_11.png
0 → 100644
View file @
18f78a35
83.6 KB
doc/user/application_security/dependency_list/index.md
View file @
18f78a35
...
@@ -26,7 +26,7 @@ To view your project's dependencies, ensure you meet the following requirements:
...
@@ -26,7 +26,7 @@ To view your project's dependencies, ensure you meet the following requirements:
## View a project's dependencies
## View a project's dependencies
![
Dependency list
](
img/dependency_list_v1
2_10
.png
)
![
Dependency list
](
img/dependency_list_v1
3_11
.png
)
GitLab displays dependencies with the following information:
GitLab displays dependencies with the following information:
...
@@ -44,7 +44,8 @@ can also be sorted by name or by the packager that installed them.
...
@@ -44,7 +44,8 @@ can also be sorted by name or by the packager that installed them.
If a dependency has known vulnerabilities, view them by clicking the arrow next to the
If a dependency has known vulnerabilities, view them by clicking the arrow next to the
dependency's name or the badge that indicates how many known vulnerabilities exist. For each
dependency's name or the badge that indicates how many known vulnerabilities exist. For each
vulnerability, its severity and description appears below it.
vulnerability, its severity and description appears below it. To view more details of a vulnerability,
select the vulnerability’s description. The
[
vulnerability's details
](
../vulnerabilities
)
page is opened.
### Dependency paths
### Dependency paths
...
...
ee/app/assets/javascripts/dependencies/components/dependency_vulnerability.vue
View file @
18f78a35
...
@@ -24,11 +24,6 @@ export default {
...
@@ -24,11 +24,6 @@ export default {
<div
class=
"w-8em flex-shrink-0 text-right mr-3"
>
<div
class=
"w-8em flex-shrink-0 text-right mr-3"
>
<severity-badge
:severity=
"vulnerability.severity"
/>
<severity-badge
:severity=
"vulnerability.severity"
/>
</div>
</div>
<gl-link
<gl-link
:href=
"vulnerability.url"
>
{{
vulnerability
.
name
}}
</gl-link>
v-if=
"glFeatures.standaloneVulnDependencyList && vulnerability.url"
:href=
"vulnerability.url"
>
{{
vulnerability
.
name
}}
</gl-link
>
<span
v-else
data-testid=
"vulnerability-name-text"
>
{{
vulnerability
.
name
}}
</span>
</div>
</div>
</
template
>
</
template
>
ee/app/controllers/projects/dependencies_controller.rb
View file @
18f78a35
...
@@ -6,10 +6,6 @@ module Projects
...
@@ -6,10 +6,6 @@ module Projects
before_action
:authorize_read_dependency_list!
before_action
:authorize_read_dependency_list!
before_action
do
push_frontend_feature_flag
(
:standalone_vuln_dependency_list
,
project
)
end
feature_category
:dependency_scanning
feature_category
:dependency_scanning
def
index
def
index
...
...
ee/changelogs/unreleased/jnnkl-remove-standalone-vuln-dependency-list-feature-flag.yml
0 → 100644
View file @
18f78a35
---
title
:
Remove standalone_vuln_dependency_list Feature Flag
merge_request
:
59124
author
:
type
:
changed
ee/config/feature_flags/development/standalone_vuln_dependency_list.yml
deleted
100644 → 0
View file @
719ab85d
---
name
:
standalone_vuln_dependency_list
introduced_by_url
:
https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/55641
rollout_issue_url
:
https://gitlab.com/gitlab-org/gitlab/-/issues/324031
milestone
:
'
13.10'
type
:
development
group
:
group::composition analysis
default_enabled
:
false
ee/lib/gitlab/ci/parsers/security/dependency_list.rb
View file @
18f78a35
...
@@ -26,24 +26,16 @@ module Gitlab
...
@@ -26,24 +26,16 @@ module Gitlab
end
end
def
parse_vulnerabilities
(
report_data
,
report
)
def
parse_vulnerabilities
(
report_data
,
report
)
if
Feature
.
enabled?
(
:standalone_vuln_dependency_list
,
project
)
vuln_findings
=
pipeline
.
vulnerability_findings
.
dependency_scanning
vuln_findings
=
pipeline
.
vulnerability_findings
.
dependency_scanning
vuln_findings
.
each
do
|
finding
|
vuln_findings
.
each
do
|
finding
|
dependency
=
finding
.
location
.
dig
(
"dependency"
)
dependency
=
finding
.
location
.
dig
(
"dependency"
)
next
unless
dependency
next
unless
dependency
file
=
finding
.
file
file
=
finding
.
file
vulnerability
=
finding
.
metadata
.
merge
(
vulnerability_id:
finding
.
vulnerability_id
)
vulnerability
=
finding
.
metadata
.
merge
(
vulnerability_id:
finding
.
vulnerability_id
)
report
.
add_dependency
(
formatter
.
format
(
dependency
,
''
,
file
,
vulnerability
))
report
.
add_dependency
(
formatter
.
format
(
dependency
,
''
,
file
,
vulnerability
))
end
else
report_data
.
fetch
(
'vulnerabilities'
,
[]).
each
do
|
vulnerability
|
dependency
=
vulnerability
.
dig
(
"location"
,
"dependency"
)
file
=
vulnerability
.
dig
(
"location"
,
"file"
)
report
.
add_dependency
(
formatter
.
format
(
dependency
,
''
,
file
,
vulnerability
))
end
end
end
end
end
...
...
ee/lib/gitlab/ci/parsers/security/formatters/dependency_list.rb
View file @
18f78a35
...
@@ -81,11 +81,9 @@ module Gitlab
...
@@ -81,11 +81,9 @@ module Gitlab
vuln_params
=
{
name:
vulnerabilities
[
'message'
],
severity:
vulnerabilities
[
'severity'
].
downcase
}
vuln_params
=
{
name:
vulnerabilities
[
'message'
],
severity:
vulnerabilities
[
'severity'
].
downcase
}
if
Feature
.
enabled?
(
:standalone_vuln_dependency_list
,
project
)
id
=
vulnerabilities
[
:vulnerability_id
]
id
=
vulnerabilities
[
:vulnerability_id
]
standalone_vuln_params
=
{
id:
id
,
url:
vulnerability_url
(
id
)
}
standalone_vuln_params
=
{
id:
id
,
url:
vulnerability_url
(
id
)
}
vuln_params
.
merge!
(
standalone_vuln_params
)
vuln_params
.
merge!
(
standalone_vuln_params
)
end
[
vuln_params
]
[
vuln_params
]
end
end
...
...
ee/spec/frontend/dependencies/components/__snapshots__/dependency_vulnerability_spec.js.snap
View file @
18f78a35
...
@@ -12,10 +12,10 @@ exports[`DependencyVulnerability component given an vulnerability matches the sn
...
@@ -12,10 +12,10 @@ exports[`DependencyVulnerability component given an vulnerability matches the sn
/>
/>
</div>
</div>
<
span
<
gl-link-stub
data-testid="vulnerability-name-text
"
href="/testgroup/testproject/-/security/vulnerabilities/1
"
>
>
Insecure variable usage
Insecure variable usage
</
span
>
</
gl-link-stub
>
</div>
</div>
`;
`;
ee/spec/frontend/dependencies/components/dependency_vulnerability_spec.js
View file @
18f78a35
...
@@ -47,34 +47,8 @@ describe('DependencyVulnerability component', () => {
...
@@ -47,34 +47,8 @@ describe('DependencyVulnerability component', () => {
expect
(
badge
.
props
().
severity
).
toEqual
(
vulnerability
.
severity
);
expect
(
badge
.
props
().
severity
).
toEqual
(
vulnerability
.
severity
);
});
});
it
(
'
renders the vulnerability name as text when standaloneVulnerabilityDependencyList Flag is off
'
,
()
=>
{
it
(
'
renders the vulnerability name as a Link
'
,
()
=>
{
const
text
=
wrapper
.
findByTestId
(
'
vulnerability-name-text
'
);
expect
(
text
.
isVisible
()).
toBe
(
true
);
expect
(
text
.
text
()).
toBe
(
'
Insecure variable usage
'
);
});
it
(
"
doesn't render link when standaloneVulnerabilityDependencyList Flag is off
"
,
()
=>
{
const
link
=
findLink
();
expect
(
link
.
exists
()).
toBe
(
false
);
});
});
describe
(
'
Feature Flag on
'
,
()
=>
{
const
vulnerability
=
mockDataVulnerabilities
[
0
];
beforeEach
(()
=>
{
factory
(
{
propsData
:
{
vulnerability
,
},
},
true
,
);
});
it
(
'
renders the vulnerability name as Link when standaloneVulnerabilityDependencyList Flag is on
'
,
()
=>
{
const
link
=
findLink
();
const
link
=
findLink
();
expect
(
link
.
exists
()).
toBe
(
true
);
expect
(
link
.
exists
()).
toBe
(
true
);
expect
(
link
.
element
.
getAttribute
(
'
href
'
)).
toBe
(
expect
(
link
.
element
.
getAttribute
(
'
href
'
)).
toBe
(
'
/testgroup/testproject/-/security/vulnerabilities/1
'
,
'
/testgroup/testproject/-/security/vulnerabilities/1
'
,
...
...
ee/spec/lib/gitlab/ci/parsers/security/dependency_list_spec.rb
View file @
18f78a35
...
@@ -49,45 +49,6 @@ RSpec.describe Gitlab::Ci::Parsers::Security::DependencyList do
...
@@ -49,45 +49,6 @@ RSpec.describe Gitlab::Ci::Parsers::Security::DependencyList do
end
end
end
end
context
"with vulnerabilities from report"
do
let
(
:artifact
)
{
pipeline
.
job_artifacts
.
last
}
before
do
stub_feature_flags
(
standalone_vuln_dependency_list:
false
)
artifact
.
each_blob
do
|
blob
|
parser
.
parse!
(
blob
,
report
)
end
end
it
'merge vulnerabilities data'
do
vuln_nokogiri
=
report
.
dependencies
[
1
][
:vulnerabilities
]
vuln_debug
=
report
.
dependencies
[
4
][
:vulnerabilities
]
vuln_async
=
report
.
dependencies
[
3
][
:vulnerabilities
]
expect
(
vuln_nokogiri
.
size
).
to
eq
(
4
)
expect
(
vuln_nokogiri
[
0
][
:name
]).
to
eq
(
'Vulnerabilities in libxml2 in nokogiri'
)
expect
(
vuln_nokogiri
[
0
][
:severity
]).
to
eq
(
'high'
)
expect
(
vuln_debug
.
size
).
to
eq
(
1
)
expect
(
vuln_debug
[
0
][
:name
]).
to
eq
(
'Regular Expression Denial of Service in debug'
)
expect
(
vuln_async
.
size
).
to
eq
(
0
)
end
context
'with dependency scanning artifact without dependency_list'
do
let
(
:artifact
)
{
create
(
:ee_ci_job_artifact
,
:dependency_scanning
)
}
before
do
artifact
.
each_blob
do
|
blob
|
parser
.
parse!
(
blob
,
report
)
end
end
it
'list of dependencies with vulnerabilities'
do
expect
(
report
.
dependencies
.
size
).
to
eq
(
4
)
end
end
end
context
'with vulnerabilities in the database'
do
context
'with vulnerabilities in the database'
do
let_it_be
(
:vulnerability
)
{
create
(
:vulnerability
,
report_type: :dependency_scanning
)
}
let_it_be
(
:vulnerability
)
{
create
(
:vulnerability
,
report_type: :dependency_scanning
)
}
let_it_be
(
:finding
)
{
create
(
:vulnerabilities_finding
,
:with_dependency_scanning_metadata
,
vulnerability:
vulnerability
)
}
let_it_be
(
:finding
)
{
create
(
:vulnerabilities_finding
,
:with_dependency_scanning_metadata
,
vulnerability:
vulnerability
)
}
...
...
ee/spec/lib/gitlab/ci/parsers/security/formatters/dependency_list_spec.rb
View file @
18f78a35
...
@@ -70,38 +70,20 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Formatters::DependencyList do
...
@@ -70,38 +70,20 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Formatters::DependencyList do
context
'with vulnerable dependency'
do
context
'with vulnerable dependency'
do
let
(
:dependency
)
{
parsed_report
[
'dependency_files'
][
0
][
'dependencies'
][
1
]
}
let
(
:dependency
)
{
parsed_report
[
'dependency_files'
][
0
][
'dependencies'
][
1
]
}
let
(
:data
)
{
formatter
.
format
(
dependency
,
package_manager
,
file_path
,
vulnerability_data
)
}
let
(
:data
)
{
formatter
.
format
(
dependency
,
package_manager
,
file_path
,
vulnerability_data
)
}
let_it_be
(
:standalone_vulnerability
)
{
create
(
:vulnerability
,
report_type: :dependency_scanning
)
}
context
'with feature `standalone vulnerabilities` enabled'
do
let
(
:vulnerability_data
)
do
let_it_be
(
:standalone_vulnerability
)
{
create
(
:vulnerability
,
report_type: :dependency_scanning
)
}
create
(
:vulnerabilities_finding
,
:with_dependency_scanning_metadata
,
vulnerability:
standalone_vulnerability
)
let
(
:vulnerability_data
)
do
create
(
:vulnerabilities_finding
,
:with_dependency_scanning_metadata
,
vulnerability:
standalone_vulnerability
)
end
it
'merge vulnerabilities data'
do
vulnerability
=
data
[
:vulnerabilities
].
first
path
=
"/security/vulnerabilities/
#{
standalone_vulnerability
.
id
}
"
expect
(
vulnerability
[
:id
]).
to
eq
(
standalone_vulnerability
.
id
)
expect
(
vulnerability
[
:url
]).
to
end_with
(
path
)
expect
(
vulnerability
[
:name
]).
to
eq
(
'Vulnerabilities in libxml2 in nokogiri'
)
expect
(
vulnerability
[
:severity
]).
to
eq
(
'high'
)
end
end
end
context
'with disabled feature'
do
it
'merge vulnerabilities data'
do
let
(
:vulnerability_data
)
{
parsed_report
[
'vulnerabilities'
].
first
}
vulnerability
=
data
[
:vulnerabilities
].
first
path
=
"/security/vulnerabilities/
#{
standalone_vulnerability
.
id
}
"
before
do
expect
(
vulnerability
[
:id
]).
to
eq
(
standalone_vulnerability
.
id
)
stub_feature_flags
(
standalone_vuln_dependency_list:
false
)
expect
(
vulnerability
[
:url
]).
to
end_with
(
path
)
end
expect
(
vulnerability
[
:name
]).
to
eq
(
'Vulnerabilities in libxml2 in nokogiri'
)
expect
(
vulnerability
[
:severity
]).
to
eq
(
'high'
)
it
'merge vulnerabilities data'
do
vulnerability
=
data
[
:vulnerabilities
].
first
expect
(
vulnerability
[
:name
]).
to
eq
(
'Vulnerabilities in libxml2 in nokogiri'
)
expect
(
vulnerability
[
:severity
]).
to
eq
(
'high'
)
end
end
end
end
end
end
end
...
...
ee/spec/models/ci/build_spec.rb
View file @
18f78a35
...
@@ -374,20 +374,14 @@ RSpec.describe Ci::Build do
...
@@ -374,20 +374,14 @@ RSpec.describe Ci::Build do
before
do
before
do
stub_licensed_features
(
dependency_scanning:
true
)
stub_licensed_features
(
dependency_scanning:
true
)
stub_feature_flags
(
standalone_vuln_dependency_list:
false
)
end
end
subject
{
job
.
collect_dependency_list_reports!
(
dependency_list_report
)
}
subject
{
job
.
collect_dependency_list_reports!
(
dependency_list_report
)
}
it
'parses blobs and add the results to the report'
do
it
'parses blobs and add the results to the report'
do
subject
subject
blob_path
=
"/
#{
project
.
full_path
}
/-/blob/
#{
job
.
sha
}
/sast-sample-rails/Gemfile.lock"
netty
=
dependency_list_report
.
dependencies
.
first
ffi
=
dependency_list_report
.
dependencies
.
last
expect
(
dependency_list_report
.
dependencies
.
count
).
to
eq
(
4
)
expect
(
dependency_list_report
.
dependencies
.
count
).
to
eq
(
0
)
expect
(
netty
[
:name
]).
to
eq
(
'io.netty/netty'
)
expect
(
ffi
[
:location
][
:blob_path
]).
to
eq
(
blob_path
)
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment