Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
5654dbaf
Commit
5654dbaf
authored
Aug 16, 2021
by
rossfuhrman
Committed by
Michael Kozono
Aug 16, 2021
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Drops :vulnerability_finding_tracking_signatures flag
parent
b5758f26
Changes
15
Show whitespace changes
Inline
Side-by-side
Showing
15 changed files
with
40 additions
and
89 deletions
+40
-89
config/feature_flags/development/vulnerability_finding_tracking_signatures.yml
...development/vulnerability_finding_tracking_signatures.yml
+0
-8
ee/app/finders/security/pipeline_vulnerabilities_finder.rb
ee/app/finders/security/pipeline_vulnerabilities_finder.rb
+1
-1
ee/app/models/ee/ci/build.rb
ee/app/models/ee/ci/build.rb
+1
-1
ee/app/models/ee/ci/job_artifact.rb
ee/app/models/ee/ci/job_artifact.rb
+1
-1
ee/app/models/vulnerabilities/finding.rb
ee/app/models/vulnerabilities/finding.rb
+1
-1
ee/app/services/security/store_report_service.rb
ee/app/services/security/store_report_service.rb
+2
-2
ee/app/services/security/store_scan_service.rb
ee/app/services/security/store_scan_service.rb
+1
-1
ee/spec/finders/security/pipeline_vulnerabilities_finder_spec.rb
.../finders/security/pipeline_vulnerabilities_finder_spec.rb
+4
-4
ee/spec/models/ci/build_spec.rb
ee/spec/models/ci/build_spec.rb
+4
-7
ee/spec/models/vulnerabilities/finding_spec.rb
ee/spec/models/vulnerabilities/finding_spec.rb
+8
-7
ee/spec/services/ci/compare_security_reports_service_spec.rb
ee/spec/services/ci/compare_security_reports_service_spec.rb
+2
-2
ee/spec/services/security/store_report_service_spec.rb
ee/spec/services/security/store_report_service_spec.rb
+6
-11
ee/spec/services/security/store_scan_service_spec.rb
ee/spec/services/security/store_scan_service_spec.rb
+6
-36
lib/gitlab/ci/reports/security/vulnerability_reports_comparer.rb
...lab/ci/reports/security/vulnerability_reports_comparer.rb
+1
-4
spec/lib/gitlab/ci/reports/security/vulnerability_reports_comparer_spec.rb
...i/reports/security/vulnerability_reports_comparer_spec.rb
+2
-3
No files found.
config/feature_flags/development/vulnerability_finding_tracking_signatures.yml
deleted
100644 → 0
View file @
b5758f26
---
name
:
vulnerability_finding_tracking_signatures
introduced_by_url
:
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/54608
rollout_issue_url
:
https://gitlab.com/gitlab-org/gitlab/-/issues/322044
milestone
:
'
13.11'
type
:
development
group
:
group::vulnerability research
default_enabled
:
false
ee/app/finders/security/pipeline_vulnerabilities_finder.rb
View file @
5654dbaf
...
...
@@ -155,7 +155,7 @@ module Security
end
def
dismissal_feedback?
(
finding
)
if
::
Feature
.
enabled?
(
:vulnerability_finding_tracking_signatures
,
pipeline
.
project
)
&&
pipeline
.
project
.
licensed_feature_available?
(
:vulnerability_finding_signatures
)
&&
!
finding
.
signatures
.
empty?
if
pipeline
.
project
.
licensed_feature_available?
(
:vulnerability_finding_signatures
)
&&
!
finding
.
signatures
.
empty?
dismissal_feedback_by_finding_signatures
(
finding
)
else
dismissal_feedback_by_project_fingerprint
(
finding
)
...
...
ee/app/models/ee/ci/build.rb
View file @
5654dbaf
...
...
@@ -233,7 +233,7 @@ module EE
end
def
parse_raw_security_artifact_blob
(
security_report
,
blob
)
signatures_enabled
=
::
Feature
.
enabled?
(
:vulnerability_finding_tracking_signatures
,
project
)
&&
project
.
licensed_feature_available?
(
:vulnerability_finding_signatures
)
signatures_enabled
=
project
.
licensed_feature_available?
(
:vulnerability_finding_signatures
)
::
Gitlab
::
Ci
::
Parsers
.
fabricate!
(
security_report
.
type
,
blob
,
security_report
,
signatures_enabled
).
parse!
end
...
...
ee/app/models/ee/ci/job_artifact.rb
View file @
5654dbaf
...
...
@@ -93,7 +93,7 @@ module EE
strong_memoize
(
:security_report
)
do
next
unless
file_type
.
in?
(
SECURITY_REPORT_FILE_TYPES
)
signatures_enabled
=
::
Feature
.
enabled?
(
:vulnerability_finding_tracking_signatures
,
project
)
&&
project
.
licensed_feature_available?
(
:vulnerability_finding_signatures
)
signatures_enabled
=
project
.
licensed_feature_available?
(
:vulnerability_finding_signatures
)
report
=
::
Gitlab
::
Ci
::
Reports
::
Security
::
Report
.
new
(
file_type
,
job
.
pipeline
,
nil
).
tap
do
|
report
|
each_blob
do
|
blob
|
...
...
ee/app/models/vulnerabilities/finding.rb
View file @
5654dbaf
...
...
@@ -317,7 +317,7 @@ module Vulnerabilities
return
false
unless
other
.
is_a?
(
self
.
class
)
return
false
unless
other
.
report_type
==
report_type
&&
other
.
primary_identifier_fingerprint
==
primary_identifier_fingerprint
if
::
Feature
.
enabled?
(
:vulnerability_finding_tracking_signatures
,
project
)
&&
project
.
licensed_feature_available?
(
:vulnerability_finding_signatures
)
if
project
.
licensed_feature_available?
(
:vulnerability_finding_signatures
)
matches_signatures
(
other
.
signatures
,
other
.
uuid
)
else
other
.
location_fingerprint
==
location_fingerprint
...
...
ee/app/services/security/store_report_service.rb
View file @
5654dbaf
...
...
@@ -80,7 +80,7 @@ module Security
update_vulnerability_finding
(
vulnerability_finding
,
vulnerability_params
)
reset_remediations_for
(
vulnerability_finding
,
finding
)
if
::
Feature
.
enabled?
(
:vulnerability_finding_tracking_signatures
,
project
)
&&
project
.
licensed_feature_available?
(
:vulnerability_finding_signatures
)
if
project
.
licensed_feature_available?
(
:vulnerability_finding_signatures
)
update_feedbacks
(
vulnerability_finding
,
vulnerability_params
[
:uuid
])
update_finding_signatures
(
finding
,
vulnerability_finding
)
end
...
...
@@ -89,7 +89,7 @@ module Security
end
def
find_or_create_vulnerability_finding
(
finding
,
create_params
)
if
::
Feature
.
enabled?
(
:vulnerability_finding_tracking_signatures
,
project
)
&&
project
.
licensed_feature_available?
(
:vulnerability_finding_signatures
)
if
project
.
licensed_feature_available?
(
:vulnerability_finding_signatures
)
find_or_create_vulnerability_finding_with_signatures
(
finding
,
create_params
)
else
find_or_create_vulnerability_finding_with_location
(
finding
,
create_params
)
...
...
ee/app/services/security/store_scan_service.rb
View file @
5654dbaf
...
...
@@ -39,7 +39,7 @@ module Security
end
def
override_uuids?
::
Feature
.
enabled?
(
:vulnerability_finding_tracking_signatures
,
project
)
&&
project
.
licensed_feature_available?
(
:vulnerability_finding_signatures
)
project
.
licensed_feature_available?
(
:vulnerability_finding_signatures
)
end
def
security_scan
...
...
ee/spec/finders/security/pipeline_vulnerabilities_finder_spec.rb
View file @
5654dbaf
...
...
@@ -201,7 +201,7 @@ RSpec.describe Security::PipelineVulnerabilitiesFinder do
let
(
:ds_finding
)
{
pipeline
.
security_reports
.
reports
[
"dependency_scanning"
].
findings
.
first
}
let
(
:sast_finding
)
{
pipeline
.
security_reports
.
reports
[
"sast"
].
findings
.
first
}
context
'when vulnerability_finding_
tracking_signatures feature flag
is disabled'
do
context
'when vulnerability_finding_
signatures feature
is disabled'
do
let!
(
:feedback
)
do
[
create
(
...
...
@@ -228,7 +228,7 @@ RSpec.describe Security::PipelineVulnerabilitiesFinder do
end
before
do
stub_
feature_flags
(
vulnerability_finding_track
ing_signatures:
false
)
stub_
licensed_features
(
sast:
true
,
dependency_scanning:
true
,
container_scanning:
true
,
dast:
true
,
vulnerability_find
ing_signatures:
false
)
end
context
'when unscoped'
do
...
...
@@ -258,7 +258,7 @@ RSpec.describe Security::PipelineVulnerabilitiesFinder do
end
end
context
'when vulnerability_finding_
tracking_signatures feature flag
is enabled'
do
context
'when vulnerability_finding_
signatures feature
is enabled'
do
let!
(
:feedback
)
do
[
create
(
...
...
@@ -275,7 +275,7 @@ RSpec.describe Security::PipelineVulnerabilitiesFinder do
end
before
do
stub_
feature_flags
(
vulnerability_finding_track
ing_signatures:
true
)
stub_
licensed_features
(
sast:
true
,
dependency_scanning:
true
,
container_scanning:
true
,
dast:
true
,
vulnerability_find
ing_signatures:
true
)
end
context
'when unscoped'
do
...
...
ee/spec/models/ci/build_spec.rb
View file @
5654dbaf
...
...
@@ -371,24 +371,21 @@ RSpec.describe Ci::Build do
end
end
context
'vulnerability_finding_
tracking_
signatures'
do
context
'vulnerability_finding_signatures'
do
let!
(
:artifact
)
{
create
(
:ee_ci_job_artifact
,
:sast
,
job:
job
,
project:
job
.
project
)
}
where
(
vulnerability_finding_signatures
_enabled
:
[
true
,
false
])
where
(
vulnerability_finding_signatures:
[
true
,
false
])
with_them
do
it
'parses the report'
do
stub_licensed_features
(
sast:
true
,
vulnerability_finding_signatures:
vulnerability_finding_signatures_enabled
)
stub_feature_flags
(
vulnerability_finding_tracking_signatures:
vulnerability_finding_signatures_enabled
vulnerability_finding_signatures:
vulnerability_finding_signatures
)
expect
(
::
Gitlab
::
Ci
::
Parsers
::
Security
::
Sast
).
to
receive
(
:new
).
with
(
artifact
.
file
.
read
,
kind_of
(
::
Gitlab
::
Ci
::
Reports
::
Security
::
Report
),
vulnerability_finding_signatures
_enabled
vulnerability_finding_signatures
)
subject
...
...
ee/spec/models/vulnerabilities/finding_spec.rb
View file @
5654dbaf
# frozen_string_literal: true
require
'spec_helper'
RSpec
.
describe
Vulnerabilities
::
Finding
do
...
...
@@ -8,12 +7,10 @@ RSpec.describe Vulnerabilities::Finding do
it
{
is_expected
.
to
define_enum_for
(
:severity
)
}
it
{
is_expected
.
to
define_enum_for
(
:detection_method
)
}
where
(
vulnerability_finding_signatures
_enabled
:
[
true
,
false
])
where
(
vulnerability_finding_signatures:
[
true
,
false
])
with_them
do
before
do
stub_feature_flags
(
vulnerability_finding_tracking_signatures:
vulnerability_finding_signatures_enabled
)
stub_feature_flags
(
vulnerability_finding_replace_metadata:
false
)
stub_licensed_features
(
vulnerability_finding_signatures:
vulnerability_finding_signatures_enabled
)
stub_licensed_features
(
vulnerability_finding_signatures:
vulnerability_finding_signatures
)
end
describe
'associations'
do
...
...
@@ -388,6 +385,10 @@ RSpec.describe Vulnerabilities::Finding do
end
context
'when the feature flag is disabled'
do
before
do
stub_feature_flags
(
vulnerability_finding_replace_metadata:
false
)
end
it
'returns links from raw_metadata'
do
expect
(
links
).
to
eq
([{
'url'
=>
'https://raw.example.com'
,
'name'
=>
'raw_metadata_link'
}])
end
...
...
@@ -966,7 +967,7 @@ RSpec.describe Vulnerabilities::Finding do
expect
(
signature1
.
eql?
(
signature2
)).
to
be
(
true
)
# now verify that the correct matching method was used for eql?
expect
(
finding1
.
eql?
(
finding2
)).
to
be
(
vulnerability_finding_signatures
_enabled
)
expect
(
finding1
.
eql?
(
finding2
)).
to
be
(
vulnerability_finding_signatures
)
end
it
'wont match other record types'
do
...
...
@@ -1035,7 +1036,7 @@ RSpec.describe Vulnerabilities::Finding do
end
with_them
do
it
'matches correctly'
do
next
unless
vulnerability_finding_signatures
_enabled
next
unless
vulnerability_finding_signatures
create_signatures
expect
(
finding1
.
eql?
(
finding2
)).
to
be
(
should_match
)
...
...
ee/spec/services/ci/compare_security_reports_service_spec.rb
View file @
5654dbaf
...
...
@@ -11,10 +11,10 @@ RSpec.describe Ci::CompareSecurityReportsService do
collection
.
map
{
|
t
|
t
[
'identifiers'
].
first
[
'external_id'
]
}
end
where
(
vulnerability_finding_
tracking_signatures_enabled
:
[
true
,
false
])
where
(
vulnerability_finding_
signatures
:
[
true
,
false
])
with_them
do
before
do
stub_
feature_flags
(
vulnerability_finding_tracking_signatures:
vulnerability_finding_tracking_signatures_enabled
)
stub_
licensed_features
(
vulnerability_finding_signatures:
vulnerability_finding_signatures
)
end
describe
'#execute DS'
do
...
...
ee/spec/services/security/store_report_service_spec.rb
View file @
5654dbaf
...
...
@@ -15,19 +15,18 @@ RSpec.describe Security::StoreReportService, '#execute' do
subject
{
described_class
.
new
(
pipeline
,
report
).
execute
}
where
(
:vulnerability_finding_signatures
_enabled
)
do
where
(
:vulnerability_finding_signatures
)
do
[
true
,
false
]
end
with_them
do
before
do
stub_feature_flags
(
vulnerability_finding_tracking_signatures:
vulnerability_finding_signatures_enabled
)
stub_licensed_features
(
sast:
true
,
dependency_scanning:
true
,
container_scanning:
true
,
security_dashboard:
true
,
vulnerability_finding_signatures:
vulnerability_finding_signatures
_enabled
vulnerability_finding_signatures:
vulnerability_finding_signatures
)
allow
(
Security
::
AutoFixWorker
).
to
receive
(
:perform_async
)
end
...
...
@@ -85,7 +84,7 @@ RSpec.describe Security::StoreReportService, '#execute' do
end
it
'inserts all signatures'
do
signatures_count
=
vulnerability_finding_signatures
_enabled
?
signatures
:
0
signatures_count
=
vulnerability_finding_signatures
?
signatures
:
0
expect
{
subject
}.
to
change
{
Vulnerabilities
::
FindingSignature
.
count
}.
by
(
signatures_count
)
end
end
...
...
@@ -408,7 +407,7 @@ RSpec.describe Security::StoreReportService, '#execute' do
end
it
'handles the error correctly'
do
next
unless
vulnerability_finding_signatures
_enabled
next
unless
vulnerability_finding_signatures
report_finding
=
report
.
findings
.
find
{
|
f
|
f
.
location
.
fingerprint
==
finding
.
location_fingerprint
}
...
...
@@ -418,7 +417,7 @@ RSpec.describe Security::StoreReportService, '#execute' do
end
it
'raises the error if there exists no vulnerability finding'
do
next
unless
vulnerability_finding_signatures
_enabled
next
unless
vulnerability_finding_signatures
allow
(
store_report_service
).
to
receive
(
:sync_vulnerability_finding
).
and_raise
(
ActiveRecord
::
RecordNotUnique
)
...
...
@@ -429,7 +428,7 @@ RSpec.describe Security::StoreReportService, '#execute' do
end
it
'updates signatures to match new values'
do
next
unless
vulnerability_finding_signatures
_enabled
next
unless
vulnerability_finding_signatures
expect
(
finding
.
signatures
.
count
).
to
eq
(
1
)
expect
(
finding
.
signatures
.
first
.
algorithm_type
).
to
eq
(
'hash'
)
...
...
@@ -685,9 +684,6 @@ RSpec.describe Security::StoreReportService, '#execute' do
security_dashboard:
true
,
vulnerability_finding_signatures:
false
)
stub_feature_flags
(
vulnerability_finding_tracking_signatures:
false
)
expect
do
expect
do
...
...
@@ -703,7 +699,6 @@ RSpec.describe Security::StoreReportService, '#execute' do
security_dashboard:
true
,
vulnerability_finding_signatures:
true
)
stub_feature_flags
(
vulnerability_finding_tracking_signatures:
true
)
pipeline
,
report
=
generate_new_pipeline
...
...
ee/spec/services/security/store_scan_service_spec.rb
View file @
5654dbaf
...
...
@@ -59,15 +59,11 @@ RSpec.describe Security::StoreScanService do
context
'when the `vulnerability_finding_signatures` licensed feature is available'
do
before
do
stub_feature_flags
(
vulnerability_finding_tracking_signatures:
feature_enabled?
)
stub_licensed_features
(
vulnerability_finding_signatures:
true
)
allow
(
Security
::
OverrideUuidsService
).
to
receive
(
:execute
)
end
context
'when the `vulnerability_finding_tracking_signatures` feature is enabled'
do
let
(
:feature_enabled?
)
{
true
}
it
'calls `Security::OverrideUuidsService` with security report to re-calculate the finding UUIDs'
do
store_scan
...
...
@@ -75,45 +71,19 @@ RSpec.describe Security::StoreScanService do
end
end
context
'when the `vulnerability_finding_tracking_signatures` feature is disabled'
do
let
(
:feature_enabled?
)
{
false
}
it
'does not call `Security::OverrideUuidsService`'
do
store_scan
expect
(
Security
::
OverrideUuidsService
).
not_to
have_received
(
:execute
)
end
end
end
context
'when the `vulnerability_finding_signatures` licensed feature is not available'
do
before
do
stub_feature_flags
(
vulnerability_finding_tracking_signatures:
feature_enabled?
)
stub_licensed_features
(
vulnerability_finding_signatures:
false
)
allow
(
Security
::
OverrideUuidsService
).
to
receive
(
:execute
)
end
context
'when the `vulnerability_finding_tracking_signatures` feature is enabled'
do
let
(
:feature_enabled?
)
{
true
}
it
'does not call `Security::OverrideUuidsService`'
do
store_scan
expect
(
Security
::
OverrideUuidsService
).
not_to
have_received
(
:execute
)
end
end
context
'when the `vulnerability_finding_tracking_signatures` feature is disabled'
do
let
(
:feature_enabled?
)
{
false
}
it
'does not call `Security::OverrideUuidsService`'
do
store_scan
expect
(
Security
::
OverrideUuidsService
).
not_to
have_received
(
:execute
)
end
end
end
context
'when the report has some errors'
do
before
do
...
...
lib/gitlab/ci/reports/security/vulnerability_reports_comparer.rb
View file @
5654dbaf
...
...
@@ -15,10 +15,7 @@ module Gitlab
@base_report
=
base_report
@head_report
=
head_report
@signatures_enabled
=
(
::
Feature
.
enabled?
(
:vulnerability_finding_tracking_signatures
,
project
)
&&
project
.
licensed_feature_available?
(
:vulnerability_finding_signatures
)
)
@signatures_enabled
=
project
.
licensed_feature_available?
(
:vulnerability_finding_signatures
)
if
@signatures_enabled
@added_findings
=
[]
...
...
spec/lib/gitlab/ci/reports/security/vulnerability_reports_comparer_spec.rb
View file @
5654dbaf
...
...
@@ -24,12 +24,11 @@ RSpec.describe Gitlab::Ci::Reports::Security::VulnerabilityReportsComparer do
subject
{
described_class
.
new
(
project
,
base_report
,
head_report
)
}
where
(
vulnerability_finding_
tracking_signatures_enabled
:
[
true
,
false
])
where
(
vulnerability_finding_
signatures
:
[
true
,
false
])
with_them
do
before
do
stub_feature_flags
(
vulnerability_finding_tracking_signatures:
vulnerability_finding_tracking_signatures_enabled
)
stub_licensed_features
(
vulnerability_finding_signatures:
vulnerability_finding_tracking_signatures_enabled
)
stub_licensed_features
(
vulnerability_finding_signatures:
vulnerability_finding_signatures
)
end
describe
'#base_report_out_of_date'
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment