Expose scan object in unsaved findings

This information will be available only for unsaved findings at the moment

Expose scan object in unsaved findings
This information will be available only for unsaved findings at the moment
52b589e9 · can eldem · 871a23c1 · 52b589e9 · 52b589e9 · 52b589e9
Commit 52b589e9 authored Oct 05, 2020 by can eldem
12 changed files
--- a/ee/app/controllers/projects/vulnerability_feedback_controller.rb
+++ b/ee/app/controllers/projects/vulnerability_feedback_controller.rb
@@ -163,6 +163,17 @@ class Projects::VulnerabilityFeedbackController < Projects::ApplicationControlle
      ],
      remediations: %i[
        diff
+      ],
+      scanner: %i[
+        external_id
+        name
+        vendor
+      ],
+      scan: %i[
+        type
+        status
+        start_time
+        end_time
      ]
    ]
  end

--- a/ee/app/models/vulnerabilities/finding.rb
+++ b/ee/app/models/vulnerabilities/finding.rb
@@ -29,6 +29,7 @@ module Vulnerabilities
    has_many :pipelines, through: :finding_pipelines, class_name: 'Ci::Pipeline'

    attr_writer :sha
+    attr_accessor :scan

    CONFIDENCE_LEVELS = {
      # undefined: 0, no longer applicable

--- a/ee/app/serializers/vulnerabilities/finding_entity.rb
+++ b/ee/app/serializers/vulnerabilities/finding_entity.rb
@@ -34,6 +34,7 @@ class Vulnerabilities::FindingEntity < Grape::Entity
  end

  expose :state
+  expose :scan

  expose :blob_path do |occurrence|
    occurrence.present.blob_path

--- a/ee/changelogs/unreleased/expose-scan-object.yml
+++ b/ee/changelogs/unreleased/expose-scan-object.yml
+---
+title: Expose scan object in unsaved findings
+merge_request: 44274
+author:
+type: other
--- a/ee/lib/gitlab/ci/reports/security/finding.rb
+++ b/ee/lib/gitlab/ci/reports/security/finding.rb
@@ -53,6 +53,7 @@ module Gitlab
              raw_metadata
              report_type
              scanner
+              scan
              severity
              uuid
            ].each_with_object({}) do |key, hash|

--- a/ee/lib/gitlab/vulnerabilities/base_vulnerability.rb
+++ b/ee/lib/gitlab/vulnerabilities/base_vulnerability.rb
@@ -18,6 +18,8 @@ module Gitlab
        links
        remediations
        target_branch
+        scanner
+        scan
      ].each { |method_name| define_method(method_name) { @data[method_name] } }

      # Ensure mandatory properties are defined

--- a/ee/spec/controllers/projects/vulnerability_feedback_controller_spec.rb
+++ b/ee/spec/controllers/projects/vulnerability_feedback_controller_spec.rb
@@ -136,7 +136,18 @@ RSpec.describe Projects::VulnerabilityFeedbackController do
          links: [{
            name: 'Awesome-security blog post',
            url: 'https;//example.com/blog-post'
-          }]
+          }],
+          scanner: {
+            external_id: 'bundler-audit',
+            name: 'bunlder audit',
+            vendor: 'bundler audit'
+          },
+          scan: {
+            type: 'dependency_scanning',
+            status: 'success',
+            start_time: 'placeholder',
+            end_time: 'placeholder'
+          }
        }
      }
    end

--- a/ee/spec/fixtures/api/schemas/vulnerabilities/finding.json
+++ b/ee/spec/fixtures/api/schemas/vulnerabilities/finding.json
@@ -7,6 +7,7 @@
    "severity",
    "report_type",
    "scanner",
+    "scan",
    "project"
  ],
  "properties" : {
@@ -31,6 +32,13 @@
      "external_id" : { "type": "string" },
      "name" : { "type": "string" }
    },
+    "scan" : {
+      "end_time": { "type": "string" },
+      "messages": { "type": "string" },
+      "start_time": { "type": "string" },
+      "status": { "type": "string" },
+      "type": { "type": "string" }
+    },
    "project" : {
      "required" : [
        "id",

--- a/ee/spec/lib/gitlab/ci/reports/security/finding_spec.rb
+++ b/ee/spec/lib/gitlab/ci/reports/security/finding_spec.rb
@@ -91,6 +91,7 @@ RSpec.describe Gitlab::Ci::Reports::Security::Finding do
        raw_metadata: occurrence.raw_metadata,
        report_type: occurrence.report_type,
        scanner: occurrence.scanner,
+        scan: occurrence.scan,
        severity: occurrence.severity,
        uuid: occurrence.uuid
      })

--- a/ee/spec/lib/gitlab/vulnerabilities/base_vulnerability_spec.rb
+++ b/ee/spec/lib/gitlab/vulnerabilities/base_vulnerability_spec.rb
@@ -19,7 +19,9 @@ RSpec.describe Gitlab::Vulnerabilities::BaseVulnerability do
      ],
      links: [{ name: 'Awesome-security blog post', url: 'https;//example.com/blog-post' }],
      location: { file: 'main.rb', start_line: 14, blob_path: '/bar/foo/main.rb#14' },
-      solution: 'upgrade dependencies'
+      solution: 'upgrade dependencies',
+      scanner: { external_id: 'gemnasium', name: 'Gemnasium' },
+      scan: { external_id: 'gemnasium', name: 'Gemnasium' }
    }
  end

@@ -34,7 +36,7 @@ RSpec.describe Gitlab::Vulnerabilities::BaseVulnerability do
  end

  describe 'getters' do
-    where(:getter) { %i[severity confidence solution identifiers links remediations target_branch] }
+    where(:getter) { %i[severity confidence solution identifiers links remediations target_branch scan scanner] }

    let(:with_nil) { described_class.new({}) }


--- a/ee/spec/requests/api/vulnerability_findings_spec.rb
+++ b/ee/spec/requests/api/vulnerability_findings_spec.rb
@@ -52,7 +52,6 @@ RSpec.describe API::VulnerabilityFindings do
        finding_count = (sast_report.findings.count + ds_report.findings.count - 1).to_s

        get api(project_vulnerability_findings_path, user), params: pagination
-
        expect(response).to have_gitlab_http_status(:ok)
        expect(response).to include_pagination_headers
        expect(response).to match_response_schema('vulnerabilities/finding_list', dir: 'ee')

--- a/ee/spec/serializers/vulnerabilities/finding_entity_spec.rb
+++ b/ee/spec/serializers/vulnerabilities/finding_entity_spec.rb
@@ -3,36 +3,37 @@
 require 'spec_helper'

 RSpec.describe Vulnerabilities::FindingEntity do
-  let_it_be(:user) { create(:user) }
-  let_it_be(:project) { create(:project) }
+  let_it_be(:user) { build(:user) }
+  let_it_be(:project) { build(:project) }

-  let(:scanner) do
-    create(:vulnerabilities_scanner, project: project)
-  end
+  let(:scanner) { build(:vulnerabilities_scanner, project: project) }
+
+  let(:scan) { build(:ci_reports_security_scan) }

  let(:identifiers) do
    [
-      create(:vulnerabilities_identifier),
-      create(:vulnerabilities_identifier)
+      build(:vulnerabilities_identifier),
+      build(:vulnerabilities_identifier)
    ]
  end

  let(:occurrence) do
-    create(
+    build(
      :vulnerabilities_occurrence,
      scanner: scanner,
+      scan: scan,
      project: project,
      identifiers: identifiers
    )
  end

-  let!(:dismiss_feedback) do
-    create(:vulnerability_feedback, :sast, :dismissal,
+  let(:dismiss_feedback) do
+    build(:vulnerability_feedback, :sast, :dismissal,
           project: project, project_fingerprint: occurrence.project_fingerprint)
  end

-  let!(:issue_feedback) do
-    create(:vulnerability_feedback, :sast, :issue,
+  let(:issue_feedback) do
+    build(:vulnerability_feedback, :sast, :issue,
           project: project, project_fingerprint: occurrence.project_fingerprint)
  end

@@ -56,6 +57,7 @@ RSpec.describe Vulnerabilities::FindingEntity do
      expect(subject).to include(:dismissal_feedback, :issue_feedback)
      expect(subject).to include(:description, :links, :location, :remediations, :solution, :evidence)
      expect(subject).to include(:blob_path, :request, :response)
+      expect(subject).to include(:scan)
    end

    context 'when not allowed to admin vulnerability feedback' do