Merge branch 'gsd-confidence-filter' into 'master'

Adds a confidence filter to the GSD

See merge request gitlab-org/gitlab-ee!12805

doc/user/application_security/security_dashboard/index.md

@@ -54,6 +54,7 @@ First, navigate to the Security Dashboard found under your group's
 Once you're on the dashboard, at the top you should see a series of filters for:
 
 - Severity
+- Confidence
 - Report type
 - Project
 

ee/app/assets/javascripts/security_dashboard/store/modules/filters/constants.js

@@ -33,6 +33,10 @@ export const BASE_FILTERS = {
     name: s__('ciReport|All severities'),
     id: 'all',
   },
+  confidence: {
+    name: s__('ciReport|All confidence levels'),
+    id: 'all',
+  },
   report_type: {
     name: s__('ciReport|All report types'),
     id: 'all',

ee/app/assets/javascripts/security_dashboard/store/modules/filters/state.js

-import { SEVERITY_LEVELS, REPORT_TYPES, BASE_FILTERS } from './constants';
+import { SEVERITY_LEVELS, CONFIDENCE_LEVELS, REPORT_TYPES, BASE_FILTERS } from './constants';
 
 const optionsObjectToArray = obj => Object.entries(obj).map(([id, name]) => ({ id, name }));
 
@@ -10,6 +10,12 @@ export default () => ({
       options: [BASE_FILTERS.severity, ...optionsObjectToArray(SEVERITY_LEVELS)],
       selection: new Set(['all']),
     },
+    {
+      name: 'Confidence',
+      id: 'confidence',
+      options: [BASE_FILTERS.confidence, ...optionsObjectToArray(CONFIDENCE_LEVELS)],
+      selection: new Set(['all']),
+    },
     {
       name: 'Report type',
       id: 'report_type',

ee/app/controllers/groups/security/vulnerabilities_controller.rb

@@ -39,7 +39,7 @@ class Groups::Security::VulnerabilitiesController < Groups::Security::Applicatio
   private
 
   def filter_params
-    params.permit(report_type: [], project_id: [], severity: [])
+    params.permit(report_type: [], confidence: [], project_id: [], severity: [])
       .merge(hide_dismissed: Gitlab::Utils.to_boolean(params[:hide_dismissed]))
   end
 

ee/app/finders/security/vulnerabilities_finder.rb

@@ -8,6 +8,7 @@
 #   group - object to filter vulnerabilities
 #   params:
 #     severity: Array<String>
+#     confidence: Array<String>
 #     project: Array<String>
 #     report_type: Array<String>
 
@@ -26,6 +27,7 @@ module Security
       collection = by_report_type(collection)
       collection = by_project(collection)
       collection = by_severity(collection)
+      collection = by_confidence(collection)
       collection
     end
 
@@ -53,6 +55,14 @@ module Security
           *params[:severity]).compact)
     end
 
+    def by_confidence(items)
+      return items unless params[:confidence].present?
+
+      items.by_confidences(
+        Vulnerabilities::Occurrence::CONFIDENCE_LEVELS.values_at(
+          *params[:confidence]).compact)
+    end
+
     def init_collection(scope)
       if scope == :all
         group.all_vulnerabilities

ee/app/models/vulnerabilities/occurrence.rb

@@ -79,6 +79,7 @@ module Vulnerabilities
     scope :by_report_types, -> (values) { where(report_type: values) }
     scope :by_projects, -> (values) { where(project_id: values) }
     scope :by_severities, -> (values) { where(severity: values) }
+    scope :by_confidences, -> (values) { where(confidence: values) }
 
     scope :all_preloaded, -> do
       preload(:scanner, :identifiers, project: [:namespace, :project_feature])

ee/changelogs/unreleased/gsd-confidence-filter.yml

+---
+title: Adds a confidence filter to the Group Security Dashboard
+merge_request: 12805
+author:
+type: added

ee/spec/finders/security/vulnerabilities_finder_spec.rb

@@ -10,8 +10,8 @@ describe Security::VulnerabilitiesFinder do
     set(:pipeline1) { create(:ci_pipeline, :success, project: project1) }
     set(:pipeline2) { create(:ci_pipeline, :success, project: project2) }
 
-    set(:vulnerability1) { create(:vulnerabilities_occurrence, report_type: :sast, severity: :high, pipelines: [pipeline1], project: project1) }
-    set(:vulnerability2) { create(:vulnerabilities_occurrence, report_type: :dependency_scanning, severity: :medium, pipelines: [pipeline2], project: project2) }
+    set(:vulnerability1) { create(:vulnerabilities_occurrence, report_type: :sast, severity: :high, confidence: :high, pipelines: [pipeline1], project: project1) }
+    set(:vulnerability2) { create(:vulnerabilities_occurrence, report_type: :dependency_scanning, severity: :medium, confidence: :low, pipelines: [pipeline2], project: project2) }
     set(:vulnerability3) { create(:vulnerabilities_occurrence, report_type: :sast, severity: :low, pipelines: [pipeline2], project: project2) }
     set(:vulnerability4) { create(:vulnerabilities_occurrence, report_type: :dast, severity: :medium, pipelines: [pipeline1], project: project1) }
 
@@ -53,6 +53,24 @@ describe Security::VulnerabilitiesFinder do
       end
     end
 
+    context 'by confidence' do
+      context 'when high' do
+        let(:params) { { confidence: %w[high] } }
+
+        it 'includes only high confidence vulnerabilities' do
+          is_expected.to contain_exactly(vulnerability1)
+        end
+      end
+
+      context 'when low' do
+        let(:params) { { confidence: %w[low] } }
+
+        it 'includes only low confidence vulnerabilities' do
+          is_expected.to contain_exactly(vulnerability2)
+        end
+      end
+    end
+
     context 'by project' do
       let(:params) { { project_id: [project2.id] } }
 

ee/spec/javascripts/security_dashboard/components/filters_spec.js

@@ -18,7 +18,7 @@ describe('Filter component', () => {
     });
 
     it('should display all filters', () => {
-      expect(vm.$el.querySelectorAll('.js-filter').length).toEqual(3);
+      expect(vm.$el.querySelectorAll('.js-filter').length).toEqual(4);
     });
   });
 });

ee/spec/models/vulnerabilities/occurrence_spec.rb

@@ -218,7 +218,7 @@ describe Vulnerabilities::Occurrence do
     subject { described_class.by_severities(param) }
 
     context 'with one param' do
-      let(:param) { 4 }
+      let(:param) { described_class.severities[:low] }
 
       it 'returns found record' do
         is_expected.to contain_exactly(vulnerability_low)
@@ -226,7 +226,30 @@ describe Vulnerabilities::Occurrence do
     end
 
     context 'without found record' do
-      let(:param) { 7 }
+      let(:param) { described_class.severities[:unknown] }
+
+      it 'returns empty collection' do
+        is_expected.to be_empty
+      end
+    end
+  end
+
+  describe '.by_confidences' do
+    let!(:vulnerability_high) { create(:vulnerabilities_occurrence, confidence: :high) }
+    let!(:vulnerability_low) { create(:vulnerabilities_occurrence, confidence: :low) }
+
+    subject { described_class.by_confidences(param) }
+
+    context 'with matching param' do
+      let(:param) { described_class.confidences[:low] }
+
+      it 'returns found record' do
+        is_expected.to contain_exactly(vulnerability_low)
+      end
+    end
+
+    context 'with non-matching param' do
+      let(:param) { described_class.confidences[:unknown] }
 
       it 'returns empty collection' do
         is_expected.to be_empty

locale/gitlab.pot

@@ -14946,6 +14946,9 @@ msgstr ""
 msgid "ciReport|(is loading, errors when loading results)"
 msgstr ""
 
+msgid "ciReport|All confidence levels"
+msgstr ""
+
 msgid "ciReport|All projects"
 msgstr ""