Add a Secure E2E test for pipeline reports

Adds an end-to-end test that executes a pipeline and validates that security reports appear in the pipeline display. Establishes a new fixture that contains a repository which will skip scanner execution and upload a pre-generated report artifact.

Add a Secure E2E test for pipeline reports
Adds an end-to-end test that executes a pipeline and validates that security reports appear in the pipeline display. Establishes a new fixture that contains a repository which will skip scanner execution and upload a pre-generated report artifact.
54902d7e · Aleksandr Soborov · 0d7c8ca2 · 54902d7e · 54902d7e · 54902d7e
Commit 54902d7e authored May 02, 2019 by Aleksandr Soborov
8 changed files
--- a/ee/app/assets/javascripts/vue_shared/security_reports/split_security_reports_app.vue
+++ b/ee/app/assets/javascripts/vue_shared/security_reports/split_security_reports_app.vue
@@ -282,7 +282,7 @@ export default {
      :unresolved-issues="dependencyScanning.newIssues"
      :has-issues="dependencyScanning.newIssues.length > 0"
      :popover-options="dependencyScanningPopover"
-      class="js-dss-widget split-report-section"
+      class="js-dss-widget split-report-section qa-dependency-scanning-report"
    />

    <report-section

--- a/ee/app/views/projects/pipelines/_tabs_holder.html.haml
+++ b/ee/app/views/projects/pipelines/_tabs_holder.html.haml
@@ -3,7 +3,7 @@

 - if pipeline.expose_security_dashboard?
  %li.js-security-tab-link
-    = link_to security_project_pipeline_path(project, pipeline), data: { target: '#js-tab-security', action: 'security', toggle: 'tab' }, class: 'security-tab' do
+    = link_to security_project_pipeline_path(project, pipeline), data: { target: '#js-tab-security', action: 'security', toggle: 'tab' }, class: 'security-tab qa-security-tab' do
      = _("Security")
      %span.badge.badge-pill.js-sast-counter.hidden


--- a/qa/qa/ee.rb
+++ b/qa/qa/ee.rb
@@ -69,6 +69,10 @@ module QA
          autoload :ProtectedBranches, 'qa/ee/page/project/settings/protected_branches'
          autoload :MirroringRepositories, 'qa/ee/page/project/settings/mirroring_repositories'
        end
+
+        module Pipeline
+          autoload :Show, 'qa/ee/page/project/pipeline/show'
+        end
      end

      module MergeRequest

--- a/qa/qa/ee/fixtures/secure_premade_reports/.gitlab-ci.yml
+++ b/qa/qa/ee/fixtures/secure_premade_reports/.gitlab-ci.yml
+include:
+  template: Dependency-Scanning.gitlab-ci.yml
+
+dependency-scanning:
+  tags:
+    - qa
+    - test
+  script:
+    - echo "Skipped"
+  artifacts:
+    reports:
+      dependency_scanning: gl-dependency-scanning-report.json
--- a/qa/qa/ee/fixtures/secure_premade_reports/gl-dependency-scanning-report.json
+++ b/qa/qa/ee/fixtures/secure_premade_reports/gl-dependency-scanning-report.json
+{
+  "version": "2.0",
+  "vulnerabilities": [
+    {
+      "category": "dependency_scanning",
+      "name": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution",
+      "message": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution in jquery",
+      "cve": "node_modules/webpack-dev-server/client/live.bundle.js:jquery:cve:CVE-2019-11358",
+      "severity": "Low",
+      "scanner": {
+        "id": "retire.js",
+        "name": "Retire.js"
+      },
+      "location": {
+        "file": "node_modules/webpack-dev-server/client/live.bundle.js",
+        "dependency": {
+          "package": {
+            "name": "jquery"
+          },
+          "version": "3.3.1"
+        }
+      },
+      "identifiers": [
+        {
+          "type": "cve",
+          "name": "CVE-2019-11358",
+          "value": "CVE-2019-11358",
+          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358"
+        }
+      ],
+      "links": [
+        {
+          "url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
+        },
+        {
+          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
+        },
+        {
+          "url": "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b"
+        }
+      ]
+    }
+  ],
+  "remediations": []
+}
--- a/qa/qa/ee/page/project/pipeline/show.rb
+++ b/qa/qa/ee/page/project/pipeline/show.rb
+# frozen_string_literal: true
+
+module QA::EE::Page
+  module Project::Pipeline
+    module Show
+      def self.prepended(page)
+        page.module_eval do
+          view 'ee/app/views/projects/pipelines/_tabs_holder.html.haml' do
+            element :security_tab
+          end
+
+          view 'ee/app/assets/javascripts/vue_shared/security_reports/split_security_reports_app.vue' do
+            element :dependency_scanning_report
+          end
+
+          view 'app/assets/javascripts/reports/components/report_section.vue' do
+            element :expand_report_button
+          end
+        end
+      end
+
+      def click_on_security
+        click_element(:security_tab)
+      end
+
+      def has_dependency_report?
+        find_element(:dependency_scanning_report)
+      end
+
+      def expand_dependency_report
+        within_element(:dependency_scanning_report) do
+          click_element(:expand_report_button)
+        end
+      end
+    end
+  end
+end
--- a/qa/qa/page/project/pipeline/show.rb
+++ b/qa/qa/page/project/pipeline/show.rb
@@ -3,6 +3,8 @@
 module QA::Page
  module Project::Pipeline
    class Show < QA::Page::Base
+      prepend QA::EE::Page::Project::Pipeline::Show
+
      view 'app/assets/javascripts/vue_shared/components/header_ci_component.vue' do
        element :pipeline_header, /header class.*ci-header-container.*/ # rubocop:disable QA/ElementWithPattern
      end

--- a/qa/qa/specs/features/browser_ui/ee_secure/create_project_with_secure_spec.rb
+++ b/qa/qa/specs/features/browser_ui/ee_secure/create_project_with_secure_spec.rb
+# frozen_string_literal: true
+
+require 'pathname'
+
+module QA
+  context 'Secure', :docker do
+    def login
+      Runtime::Browser.visit(:gitlab, Page::Main::Login)
+      Page::Main::Login.perform(&:sign_in_using_credentials)
+    end
+
+    describe 'Security Dashboard support' do
+      let(:executor) { "qa-runner-#{Time.now.to_i}" }
+
+      after do
+        Service::Runner.new(executor).remove!
+      end
+
+      it 'displays the Dependency Scanning report in the pipeline' do
+        login
+
+        @project = Resource::Project.fabricate! do |p|
+          p.name = Runtime::Env.auto_devops_project_name || 'project-with-secure'
+          p.description = 'Project with Secure'
+        end
+
+        Resource::Runner.fabricate! do |runner|
+          runner.project = @project
+          runner.name = executor
+          runner.tags = %w[qa test]
+        end
+
+        # Create Secure compatible repo
+        Resource::Repository::ProjectPush.fabricate! do |push|
+          push.project = @project
+          push.directory = Pathname
+            .new(__dir__)
+            .join('../../../../ee/fixtures/secure_premade_reports')
+          push.commit_message = 'Create Secure compatible application to serve premade reports'
+        end
+
+        Page::Project::Menu.perform(&:click_ci_cd_pipelines)
+        Page::Project::Pipeline::Index.perform(&:click_on_latest_pipeline)
+
+        Page::Project::Pipeline::Show.perform do |pipeline|
+          pipeline.click_job('dependency-scanning')
+        end
+        Page::Project::Job::Show.perform do |job|
+          expect(job).to be_successful(timeout: 600)
+
+          job.click_element(:pipeline_path)
+        end
+        Page::Project::Pipeline::Show.perform do |pipeline|
+          pipeline.click_on_security
+          expect(pipeline).to have_dependency_report
+          expect(pipeline).to have_content("Dependency scanning detected 1")
+          pipeline.expand_dependency_report
+          expect(pipeline).to have_content("jQuery before 3.4.0")
+        end
+      end
+    end
+  end
+end