Adds support to show full issue report for sast

ee/app/assets/javascripts/vue_merge_request_widget/components/mr_widget_report_collapsible_section.vue

 <script>
-  /* eslint-disable vue/require-default-prop */
   import statusIcon from '~/vue_merge_request_widget/components/mr_widget_status_icon.vue';
   import loadingIcon from '~/vue_shared/components/loading_icon.vue';
   import issuesBlock from './mr_widget_report_issues.vue';
@@ -55,8 +54,9 @@
         default: () => [],
       },
       infoText: {
-        type: String,
+        type: [String, Boolean],
         required: false,
+        default: false,
       },
       hasPriority: {
         type: Boolean,
@@ -103,9 +103,9 @@
         const text = this.isCollapsed ? 'Expand' : 'Collapse';
         this.collapseText = text;
       },
-      toggleFullReport() {
-        this.isFullReportVisible = !this.isFullReportVisible;
-      }
+      openFullReport() {
+        this.isFullReportVisible = true;
+      },
     },
   };
 </script>
@@ -166,6 +166,15 @@
         :has-priority="hasPriority"
       />
 
+      <issues-block
+        class="js-mr-code-all-issues"
+        v-if="isFullReportVisible"
+        :type="type"
+        status="failed"
+        :issues="allIssues"
+        :has-priority="hasPriority"
+      />
+
       <issues-block
         class="js-mr-code-non-issues"
         v-if="neutralIssues.length"
@@ -184,25 +193,14 @@
         :has-priority="hasPriority"
       />
 
-      <template v-if="allIssues.length">
-        <button
-          type="button"
-          class="btn-link"
-          @click="toggleFullReport"
-        >
-          Show complete code vulnerabilities report
-        </button>
-
-        <issues-block
-          class="js-mr-code-resolved-issues"
-          v-if="isFullReportVisible"
-          :type="type"
-          status="failed"
-          :issues="allIssues"
-          :has-priority="hasPriority"
-        />
-
-      </template>
+      <button
+        v-if="allIssues.length && !isFullReportVisible"
+        type="button"
+        class="btn-link btn-blank mr-widget-code-quality-list js-expand-full-list"
+        @click="openFullRerpot"
+      >
+        {{ s__("ciReport|Show complete code vulnerabilities report") }}
+      </button>
     </div>
     <div
       v-else-if="loadingFailed"

ee/app/assets/javascripts/vue_merge_request_widget/mr_widget_options.js

@@ -428,6 +428,7 @@ export default {
         :success-text="securityText"
         :unresolved-issues="mr.securityReport.newIssues"
         :resolved-issues="mr.securityReport.resolvedIssues"
+        :all-issues="mr.securityReport.allIssues"
         :has-priority="true"
         />
       <collapsible-section

ee/app/assets/javascripts/vue_merge_request_widget/stores/mr_widget_store.js

@@ -88,23 +88,47 @@ export default class MergeRequestStore extends CEMergeRequestStore {
     this.dast = data.dast;
     this.dastReport = [];
   }
+  /**
+   * Security report has 3 types of issues, newIssues, resolvedIssues and allIssues.
+   *
+   * When we have both base and head:
+   * - newIssues = head - base
+   * - resolvedIssues = base - head
+   * - allIssues = head - newIssues - resolvedIssues
+   *
+   * When we only have head
+   * - newIssues = head
+   * - resolvedIssues = 0
+   * - allIssues = 0
+   * @param {*} data
+   */
 
   setSecurityReport(data) {
     if (data.base) {
+      const filterKey = 'cve';
       const parsedHead = MergeRequestStore.parseIssues(data.head, data.headBlobPath);
       const parsedBase = MergeRequestStore.parseIssues(data.base, data.baseBlobPath);
 
-      this.securityReport.allIssues = MergeRequestStore.parseIssues(data.head, data.headBlobPath);
-
       this.securityReport.newIssues = MergeRequestStore.filterByKey(
         parsedHead,
         parsedBase,
-        'cve',
+        filterKey,
       );
       this.securityReport.resolvedIssues = MergeRequestStore.filterByKey(
         parsedBase,
         parsedHead,
-        'cve',
+        filterKey,
+      );
+
+      // Remove the new Issues and the added issues
+      this.securityReport.allIssues = MergeRequestStore.filterByKey(
+        MergeRequestStore.filterByKey(
+          parsedHead,
+          this.securityReport.newIssues,
+          filterKey,
+        ),
+        this.securityReport.resolvedIssues,
+        filterKey,
       );
     } else {
       this.securityReport.newIssues = MergeRequestStore.parseIssues(data.head, data.headBlobPath);

spec/javascripts/vue_mr_widget/components/mr_widget_report_collapsible_section_spec.js

@@ -98,4 +98,78 @@ describe('Merge Request collapsible section', () => {
       expect(vm.$el.textContent.trim()).toEqual('Failed to load codeclimate report');
     });
   });
+
+  describe('With full report', () => {
+    beforeEach(() => {
+      vm = mountComponent(MRWidgetCodeQuality, {
+        status: 'success',
+        successText: 'SAST improved on 1 security vulnerability and degraded on 1 security vulnerability',
+        type: 'security',
+        errorText: 'Failed to load security report',
+        hasPriority: true,
+        loadingText: 'Loading security report',
+        resolvedIssues: [{
+          cve: 'CVE-2016-9999',
+          file: 'Gemfile.lock',
+          message: 'Test Information Leak Vulnerability in Action View',
+          name: 'Test Information Leak Vulnerability in Action View',
+          path: 'Gemfile.lock',
+          solution: 'upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1',
+          tool: 'bundler_audit',
+          url: 'https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00',
+          urlPath: '/Gemfile.lock',
+        }],
+        unresolvedIssues: [{
+          cve: 'CVE-2014-7829',
+          file: 'Gemfile.lock',
+          message: 'Arbitrary file existence disclosure in Action Pack',
+          name: 'Arbitrary file existence disclosure in Action Pack',
+          path: 'Gemfile.lock',
+          solution: 'upgrade to ~> 3.2.21, ~> 4.0.11.1, ~> 4.0.12, ~> 4.1.7.1, >= 4.1.8',
+          tool: 'bundler_audit',
+          url: 'https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk',
+          urlPath: '/Gemfile.lock',
+        }],
+        allIssues: [{
+          cve: 'CVE-2016-0752',
+          file: 'Gemfile.lock',
+          message: 'Possible Information Leak Vulnerability in Action View',
+          name: 'Possible Information Leak Vulnerability in Action View',
+          path: 'Gemfile.lock',
+          solution: 'upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1',
+          tool: 'bundler_audit',
+          url: 'https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00',
+          urlPath: '/Gemfile.lock',
+        }],
+      });
+    });
+
+    it('should render full report section', (done) => {
+      vm.$el.querySelector('button').click();
+
+      Vue.nextTick(() => {
+        expect(
+          vm.$el.querySelector('.js-expand-full-list').textContent.trim(),
+        ).toEqual('Show complete code vulnerabilities report');
+
+        done();
+      });
+    });
+
+    it('should expand full list when clicked and hide the show all button', (done) => {
+      vm.$el.querySelector('button').click();
+
+      Vue.nextTick(() => {
+        vm.$el.querySelector('.js-expand-full-list').click();
+
+        Vue.nextTick(() => {
+          expect(
+            vm.$el.querySelector('.js-mr-code-all-issues').textContent.trim(),
+          ).toContain('Possible Information Leak Vulnerability in Action View');
+
+          done();
+        });
+      });
+    });
+  });
 });

spec/javascripts/vue_mr_widget/mock_data.js

@@ -381,85 +381,122 @@ export const securityParsedIssues = [
   },
 ];
 
-export const securityIssues = [
-  {
-    tool: 'bundler_audit',
-    message: 'Arbitrary file existence disclosure in Action Pack',
-    url: 'https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk',
-    cve: 'CVE-2014-7829',
-    file: 'Gemfile.lock',
-    solution: 'upgrade to ~> 3.2.21, ~> 4.0.11.1, ~> 4.0.12, ~> 4.1.7.1, >= 4.1.8',
-    priority:'High',
-    line: 12,
-  },
-  {
-    tool: 'bundler_audit',
-    message: 'Possible Information Leak Vulnerability in Action View',
-    url: 'https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00',
-    cve: 'CVE-2016-0752',
-    file: 'Gemfile.lock',
-    solution: 'upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1',
-    priority: 'Medium',
-  },
-];
+export const securityIssues = [{
+  tool: 'bundler_audit',
+  message: 'Arbitrary file existence disclosure in Action Pack',
+  url: 'https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk',
+  cve: 'CVE-2014-7829',
+  file: 'Gemfile.lock',
+  solution: 'upgrade to ~> 3.2.21, ~> 4.0.11.1, ~> 4.0.12, ~> 4.1.7.1, >= 4.1.8'
+  }, {
+  tool: 'bundler_audit',
+  message: 'Possible Information Leak Vulnerability in Action View',
+  url: 'https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00',
+  cve: 'CVE-2016-0752',
+  file: 'Gemfile.lock',
+  solution: 'upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1'
+  }, {
+  tool: 'bundler_audit',
+  message: 'Possible Object Leak and Denial of Service attack in Action Pack',
+  url: 'https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc',
+  cve: 'CVE-2016-0751',
+  file: 'Gemfile.lock',
+  solution: 'upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1'
+}];
 
-export const securityIssuesBase = [
-  {
-    tool: 'bundler_audit',
-    message: 'Arbitrary file existence disclosure in Action Pack',
-    url: 'https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk',
-    cve: 'CVE-2014-7855',
-    file: 'Gemfile.lock',
-    solution: 'upgrade to ~> 3.2.21, ~> 4.0.11.1, ~> 4.0.12, ~> 4.1.7.1, >= 4.1.8',
-    priority:'High',
-    line: 12,
-  },
-];
+export const securityIssuesBase = [{
+  tool: 'bundler_audit',
+  message: 'Test Information Leak Vulnerability in Action View',
+  url: 'https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00',
+  cve: 'CVE-2016-9999',
+  file: 'Gemfile.lock',
+  solution: 'upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1'
+  }, {
+  tool: 'bundler_audit',
+  message: 'Possible Information Leak Vulnerability in Action View',
+  url: 'https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00',
+  cve: 'CVE-2016-0752',
+  file: 'Gemfile.lock',
+  solution: 'upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1'
+}];
 
-export const parsedSecurityIssuesStore = [
-  {
-    tool: 'bundler_audit',
-    message: 'Arbitrary file existence disclosure in Action Pack',
-    url: 'https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk',
-    cve: 'CVE-2014-7829',
-    file: 'Gemfile.lock',
-    solution: 'upgrade to ~> 3.2.21, ~> 4.0.11.1, ~> 4.0.12, ~> 4.1.7.1, >= 4.1.8',
-    priority:'High',
-    line: 12,
-    name: 'Arbitrary file existence disclosure in Action Pack',
-    path: 'Gemfile.lock',
-    urlPath: 'path/Gemfile.lock#L12'
-  },
-  {
-    tool: 'bundler_audit',
-    message: 'Possible Information Leak Vulnerability in Action View',
-    url: 'https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00',
-    cve: 'CVE-2016-0752',
-    file: 'Gemfile.lock',
-    solution: 'upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1',
-    priority: 'Medium',
-    name: 'Possible Information Leak Vulnerability in Action View',
-    path: 'Gemfile.lock',
-    urlPath: 'path/Gemfile.lock',
-  },
-];
+export const parsedSecurityIssuesStore = [{
+  tool: 'bundler_audit',
+  message: 'Arbitrary file existence disclosure in Action Pack',
+  url: 'https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk',
+  cve: 'CVE-2014-7829',
+  file: 'Gemfile.lock',
+  solution: 'upgrade to ~> 3.2.21, ~> 4.0.11.1, ~> 4.0.12, ~> 4.1.7.1, >= 4.1.8',
+  name: 'Arbitrary file existence disclosure in Action Pack',
+  path: 'Gemfile.lock',
+  urlPath: 'path/Gemfile.lock'
+  }, {
+  tool: 'bundler_audit',
+  message: 'Possible Information Leak Vulnerability in Action View',
+  url: 'https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00',
+  cve: 'CVE-2016-0752',
+  file: 'Gemfile.lock',
+  solution: 'upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1',
+  name: 'Possible Information Leak Vulnerability in Action View',
+  path: 'Gemfile.lock',
+  urlPath: 'path/Gemfile.lock'
+  }, {
+  tool: 'bundler_audit',
+  message: 'Possible Object Leak and Denial of Service attack in Action Pack',
+  url: 'https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc',
+  cve: 'CVE-2016-0751',
+  file: 'Gemfile.lock',
+  solution: 'upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1',
+  name: 'Possible Object Leak and Denial of Service attack in Action Pack',
+  path: 'Gemfile.lock',
+  urlPath: 'path/Gemfile.lock'
+}];
 
+export const parsedSecurityIssuesHead = [{
+  tool: 'bundler_audit',
+  message: 'Arbitrary file existence disclosure in Action Pack',
+  url: 'https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk',
+  cve: 'CVE-2014-7829',
+  file: 'Gemfile.lock',
+  solution: 'upgrade to ~> 3.2.21, ~> 4.0.11.1, ~> 4.0.12, ~> 4.1.7.1, >= 4.1.8',
+  name: 'Arbitrary file existence disclosure in Action Pack',
+  path: 'Gemfile.lock',
+  urlPath: 'path/Gemfile.lock'
+  }, {
+  tool: 'bundler_audit',
+  message: 'Possible Object Leak and Denial of Service attack in Action Pack',
+  url: 'https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc',
+  cve: 'CVE-2016-0751',
+  file: 'Gemfile.lock',
+  solution: 'upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1',
+  name: 'Possible Object Leak and Denial of Service attack in Action Pack',
+  path: 'Gemfile.lock',
+  urlPath: 'path/Gemfile.lock'
+}];
 
-export const parsedSecurityIssuesBaseStore = [
-  {
-    tool: 'bundler_audit',
-    message: 'Arbitrary file existence disclosure in Action Pack',
-    url: 'https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk',
-    cve: 'CVE-2014-7855',
-    file: 'Gemfile.lock',
-    solution: 'upgrade to ~> 3.2.21, ~> 4.0.11.1, ~> 4.0.12, ~> 4.1.7.1, >= 4.1.8',
-    priority:'High',
-    line: 12,
-    name: 'Arbitrary file existence disclosure in Action Pack',
-    path: 'Gemfile.lock',
-    urlPath: 'path/Gemfile.lock#L12'
-  },
-];
+export const parsedSecurityIssuesBaseStore = [{
+  name: 'Test Information Leak Vulnerability in Action View',
+  tool: 'bundler_audit',
+  message: 'Test Information Leak Vulnerability in Action View',
+  url: 'https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00',
+  cve: 'CVE-2016-9999',
+  file: 'Gemfile.lock',
+  solution: 'upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1',
+  path: 'Gemfile.lock',
+  urlPath: 'path/Gemfile.lock'
+}];
+
+export const allIssuesParsed = [{
+  name: 'Possible Information Leak Vulnerability in Action View',
+  tool: 'bundler_audit',
+  message: 'Possible Information Leak Vulnerability in Action View',
+  url: 'https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00',
+  cve: 'CVE-2016-0752',
+  file: 'Gemfile.lock',
+  solution: 'upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1',
+  path: 'Gemfile.lock',
+  urlPath: 'path/Gemfile.lock',
+}];
 
 export const dockerReport = {
   unapproved: [

spec/javascripts/vue_mr_widget/stores/mr_widget_store_spec.js

@@ -9,6 +9,8 @@ import mockData, {
   parsedHeadIssues,
   parsedSecurityIssuesStore,
   parsedSecurityIssuesBaseStore,
+  allIssuesParsed,
+  parsedSecurityIssuesHead,
   dockerReport,
   dockerReportParsed,
   dast,
@@ -108,8 +110,9 @@ describe('MergeRequestStore', () => {
         baseBlobPath: 'path',
       });
 
-      expect(store.securityReport.newIssues).toEqual(parsedSecurityIssuesStore);
+      expect(store.securityReport.newIssues).toEqual(parsedSecurityIssuesHead);
       expect(store.securityReport.resolvedIssues).toEqual(parsedSecurityIssuesBaseStore);
+      expect(store.securityReport.allIssues).toEqual(allIssuesParsed);
     });
   });