Expose vulnerability occurrence evidence

63f86810 · Cameron Swords · Dmytro Zaporozhets · e7e3fcef · 63f86810 · 63f86810
Commit 63f86810 authored Apr 21, 2020 by Cameron Swords Committed by Dmytro Zaporozhets Apr 21, 2020
5 changed files
--- a/ee/app/models/vulnerabilities/occurrence.rb
+++ b/ee/app/models/vulnerabilities/occurrence.rb
@@ -254,6 +254,10 @@ module Vulnerabilities
      metadata.dig('remediations')
    end

+    def evidence
+      metadata.dig('evidence', 'summary')
+    end
+
    alias_method :==, :eql? # eql? is necessary in some cases like array intersection

    def eql?(other)

--- a/ee/app/serializers/vulnerabilities/occurrence_entity.rb
+++ b/ee/app/serializers/vulnerabilities/occurrence_entity.rb
@@ -29,6 +29,7 @@ class Vulnerabilities::OccurrenceEntity < Grape::Entity
    expose :location
    expose :remediations
    expose :solution
+    expose :evidence
  end

  expose :state

--- a/ee/spec/factories/vulnerabilities/occurrences.rb
+++ b/ee/spec/factories/vulnerabilities/occurrences.rb
@@ -54,7 +54,10 @@ FactoryBot.define do
            name: "Cipher does not check for integrity first?",
            url: "https://crypto.stackexchange.com/questions/31428/pbewithmd5anddes-cipher-does-not-check-for-integrity-first"
          }
-        ]
+        ],
+        evidence: {
+          summary: 'Credit card detected'
+        }
      }.to_json
    end


--- a/ee/spec/models/vulnerabilities/occurrence_spec.rb
+++ b/ee/spec/models/vulnerabilities/occurrence_spec.rb
@@ -568,4 +568,24 @@ describe Vulnerabilities::Occurrence do
      it { is_expected.to eq(vulnerabilities_occurrence.remediations.dig(0, 'summary')) }
    end
  end
+
+  describe '#evidence' do
+    it 'has an evidence summary when present' do
+      occurrence = create(:vulnerabilities_occurrence)
+
+      expect(occurrence.evidence).to eq(occurrence.metadata['evidence']['summary'])
+    end
+
+    it 'has no evidence summary when evidence is present, summary is not' do
+      occurrence = create(:vulnerabilities_occurrence, raw_metadata: { evidence: {} })
+
+      expect(occurrence.evidence).to be_nil
+    end
+
+    it 'has no evidence summary when evidence is not present' do
+      occurrence = create(:vulnerabilities_occurrence, raw_metadata: {})
+
+      expect(occurrence.evidence).to be_nil
+    end
+  end
 end
--- a/ee/spec/serializers/vulnerabilities/occurrence_entity_spec.rb
+++ b/ee/spec/serializers/vulnerabilities/occurrence_entity_spec.rb
@@ -54,7 +54,7 @@ describe Vulnerabilities::OccurrenceEntity do
      expect(subject).to include(:name, :report_type, :severity, :confidence, :project_fingerprint)
      expect(subject).to include(:scanner, :project, :identifiers)
      expect(subject).to include(:dismissal_feedback, :issue_feedback)
-      expect(subject).to include(:description, :links, :location, :remediations, :solution)
+      expect(subject).to include(:description, :links, :location, :remediations, :solution, :evidence)
      expect(subject).to include(:blob_path)
    end