Merge branch 'expose-vulnerability-generic-details' into 'master'

Expose generic vulnerability finding details

See merge request gitlab-org/gitlab!56448

doc/api/vulnerability_findings.md

@@ -131,6 +131,18 @@ Example response:
         "version": "1.5.0"
       }
     },
+    "details": {
+      "custom_field": {
+        "name": "URLs",
+        "type": "list",
+        "items": [
+          {
+            "type": "url",
+            "href": "http://site.com/page/1"
+          }
+        ]
+      }
+    },
     "solution": "Upgrade to fixed version.\r\n",
     "blob_path": "/tests/yarn-remediation-test/blob/cc6c4a0778460455ae5d16ca7025ca9ca1ca75ac/yarn.lock"
   }

ee/app/helpers/vulnerabilities_helper.rb

 # frozen_string_literal: true
 
 module VulnerabilitiesHelper
-  FINDING_FIELDS = %i[metadata identifiers name issue_feedback merge_request_feedback project project_fingerprint scanner uuid].freeze
+  FINDING_FIELDS = %i[metadata identifiers name issue_feedback merge_request_feedback project project_fingerprint scanner uuid details].freeze
 
   def vulnerability_details_json(vulnerability, pipeline)
     vulnerability_details(vulnerability, pipeline).to_json

ee/app/serializers/vulnerabilities/finding_entity.rb

@@ -41,6 +41,7 @@ class Vulnerabilities::FindingEntity < Grape::Entity
     expose(:assets) { |model, _| model.assets }
   end
 
+  expose :details
   expose :state
   expose :scan
 

ee/changelogs/unreleased/expose-vulnerability-generic-details.yml

+---
+title: Return generic vulnerability details in the response of the vulnerability_finding
+  endpoint
+merge_request: 56448
+author:
+type: changed

ee/spec/factories/vulnerabilities/findings.rb

@@ -59,6 +59,17 @@ FactoryBot.define do
     confidence { :medium }
     scanner factory: :vulnerabilities_scanner
     metadata_version { 'sast:1.0' }
+
+    details do
+      {
+        url: {
+          name: 'URL',
+          type: 'url',
+          href: 'http://site.com'
+        }
+      }
+    end
+
     raw_metadata do
       {
         description: 'The cipher does not provide data integrity update 1',

ee/spec/helpers/vulnerabilities_helper_spec.rb

@@ -39,10 +39,11 @@ RSpec.describe VulnerabilitiesHelper do
                     :project,
                     :remediations,
                     :solution,
-                    :uuid)
+                    :uuid,
+                    :details)
     end
 
-    let(:desired_serializer_fields) { %i[metadata identifiers name issue_feedback merge_request_feedback project project_fingerprint scanner uuid] }
+    let(:desired_serializer_fields) { %i[metadata identifiers name issue_feedback merge_request_feedback project project_fingerprint scanner uuid details] }
 
     before do
       vulnerability_serializer_stub = instance_double("VulnerabilitySerializer")
@@ -268,7 +269,8 @@ RSpec.describe VulnerabilitiesHelper do
         evidence_source: anything,
         assets: kind_of(Array),
         supporting_messages: kind_of(Array),
-        uuid: kind_of(String)
+        uuid: kind_of(String),
+        details: kind_of(Hash)
       )
 
       expect(subject[:location]['blob_path']).to match(kind_of(String))

ee/spec/serializers/vulnerabilities/finding_entity_spec.rb

@@ -60,6 +60,7 @@ RSpec.describe Vulnerabilities::FindingEntity do
       expect(subject).to include(:scan)
       expect(subject).to include(:assets, :evidence_source, :supporting_messages)
       expect(subject).to include(:uuid)
+      expect(subject).to include(:details)
     end
 
     context 'when not allowed to admin vulnerability feedback' do