Merge branch 'qa-e2e-secure-dast-reports' into 'master'

Added E2E tests for DAST reports Closes gitlab-org/quality/testcases#127 and gitlab-org/quality/testcases#132 See merge request gitlab-org/gitlab!16655

Merge branch 'qa-e2e-secure-dast-reports' into 'master'
Added E2E tests for DAST reports Closes gitlab-org/quality/testcases#127 and gitlab-org/quality/testcases#132 See merge request gitlab-org/gitlab!16655
7540c54c · Walmyr Lima e Silva Filho · d2750875 · 12f11c83 · 7540c54c · 7540c54c
Commit 7540c54c authored Sep 16, 2019 by Walmyr Lima e Silva Filho
4 changed files
--- a/qa/qa/ee/fixtures/secure_premade_reports/.gitlab-ci.yml
+++ b/qa/qa/ee/fixtures/secure_premade_reports/.gitlab-ci.yml
 include:
  template: Dependency-Scanning.gitlab-ci.yml
  template: Container-Scanning.gitlab-ci.yml
+  template: SAST.gitlab-ci.yml
+  template: DAST.gitlab-ci.yml

 dependency_scanning:
  tags:
@@ -29,8 +31,20 @@ sast:
  tags:
    - qa
    - test
+  only: null # Template defaults to feature branches only
  script:
    - echo "Skipped"
  artifacts:
    reports:
      sast: gl-sast-report.json
+
+dast:
+  tags:
+    - qa
+    - test
+  only: null # Template defaults to feature branches only
+  script:
+    - echo "Skipped"
+  artifacts:
+    reports:
+      dast: gl-dast-report.json
--- a/qa/qa/ee/fixtures/secure_premade_reports/gl-dast-report.json
+++ b/qa/qa/ee/fixtures/secure_premade_reports/gl-dast-report.json
+{"@generated": "Thu, 12 Sep 2019 22:57:16", "@version": "D-2019-09-02", "site": [{"@port": "80", "@host": "gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io", "@name": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io", "alerts": [{"count": "2", "riskdesc": "Low (Medium)", "name": "Cookie Without SameSite Attribute", "reference": "<p>https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site</p>", "sourceid": "3", "confidence": "2", "alert": "Cookie Without SameSite Attribute", "instances": [{"evidence": "Set-Cookie: JSESSIONID", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/robots.txt", "param": "JSESSIONID", "method": "GET"}, {"evidence": "Set-Cookie: JSESSIONID", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/", "param": "JSESSIONID", "method": "GET"}], "pluginid": "10054", "riskcode": "1", "wascid": "13", "solution": "<p>Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.</p>", "cweid": "16", "desc": "<p>A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.</p>"}, {"count": "5", "riskdesc": "Informational (Low)", "name": "Timestamp Disclosure - Unix", "reference": "<p>https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure</p><p>http://projects.webappsec.org/w/page/13246936/Information%20Leakage</p>", "otherinfo": "<p>80000000, which evaluates to: 1972-07-14 22:13:20</p>", "sourceid": "3", "confidence": "1", "alert": "Timestamp Disclosure - Unix", "instances": [{"evidence": "80000000", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/plugins/bootstrap/css/bootstrap.min.css", "method": "GET"}, {"evidence": "33333333", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/plugins/bootstrap/css/bootstrap.min.css", "method": "GET"}, {"evidence": "00000000", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/plugins/bootstrap/css/bootstrap.min.css", "method": "GET"}, {"evidence": "66666667", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/plugins/bootstrap/css/bootstrap.min.css", "method": "GET"}, {"evidence": "42857143", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/plugins/bootstrap/css/bootstrap.min.css", "method": "GET"}], "pluginid": "10096", "riskcode": "0", "wascid": "13", "solution": "<p>Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.</p>", "cweid": "200", "desc": "<p>A timestamp was disclosed by the application/web server - Unix</p>"}, {"count": "4", "riskdesc": "Low (Medium)", "name": "Absence of Anti-CSRF Tokens", "reference": "<p>http://projects.webappsec.org/Cross-Site-Request-Forgery</p><p>http://cwe.mitre.org/data/definitions/352.html</p>", "otherinfo": "<p>No known Anti-CSRF token [anticsrf, CSRFToken, __RequestVerificationToken, csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token, _csrf, _csrfSecret] was found in the following HTML form: [Form 1: \"username\" \"password\" \"matchingPassword\" \"agree\" ].</p>", "sourceid": "3", "confidence": "2", "alert": "Absence of Anti-CSRF Tokens", "instances": [{"evidence": "<form class=\"form-horizontal\" action=\"/register.mvc\" method=\"POST\">", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/registration", "method": "GET"}, {"evidence": "<form class=\"form-horizontal\" action=\"/register.mvc\" method=\"POST\">", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/register.mvc", "method": "POST"}, {"evidence": "<form method=\"POST\" style=\"width: 200px;\" action=\"/login\">", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/login", "method": "GET"}, {"evidence": "<form method=\"POST\" style=\"width: 200px;\" action=\"/login\">", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/login?error", "method": "GET"}], "pluginid": "10202", "riskcode": "1", "wascid": "9", "solution": "<p>Phase: Architecture and Design</p><p>Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.</p><p>For example, use anti-CSRF packages such as the OWASP CSRFGuard.</p><p></p><p>Phase: Implementation</p><p>Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script.</p><p></p><p>Phase: Architecture and Design</p><p>Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330).</p><p>Note that this can be bypassed using XSS.</p><p></p><p>Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.</p><p>Note that this can be bypassed using XSS.</p><p></p><p>Use the ESAPI Session Management control.</p><p>This control includes a component for CSRF.</p><p></p><p>Do not use the GET method for any request that triggers a state change.</p><p></p><p>Phase: Implementation</p><p>Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.</p>", "cweid": "352", "desc": "<p>No Anti-CSRF tokens were found in a HTML submission form.</p><p>A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.</p><p></p><p>CSRF attacks are effective in a number of situations, including:</p><p>    * The victim has an active session on the target site.</p><p>    * The victim is authenticated via HTTP auth on the target site.</p><p>    * The victim is on the same local network as the target site.</p><p></p><p>CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.</p>"}, {"count": "2", "riskdesc": "Low (Medium)", "name": "Cookie No HttpOnly Flag", "reference": "<p>http://www.owasp.org/index.php/HttpOnly</p>", "sourceid": "3", "confidence": "2", "alert": "Cookie No HttpOnly Flag", "instances": [{"evidence": "Set-Cookie: JSESSIONID", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/robots.txt", "param": "JSESSIONID", "method": "GET"}, {"evidence": "Set-Cookie: JSESSIONID", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/", "param": "JSESSIONID", "method": "GET"}], "pluginid": "10010", "riskcode": "1", "wascid": "13", "solution": "<p>Ensure that the HttpOnly flag is set for all cookies.</p>", "cweid": "16", "desc": "<p>A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.</p>"}], "@ssl": "false"}], "spider": {"progress": "100", "state": "FINISHED", "result": {"urlsIoError": [], "urlsOutOfScope": ["http://getbootstrap.com/", "http://daneden.me/animate", "http://fontawesome.io/", "https://github.com/twbs/bootstrap/blob/master/LICENSE", "https://github.com/nickpettit/glide", "http://fontawesome.io/license"], "urlsInScope": [{"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "GET", "statusCode": "302"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/robots.txt", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "GET", "statusCode": "302"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/sitemap.xml", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "GET", "statusCode": "302"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/login", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "GET", "statusCode": "200"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "GET", "statusCode": "302"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/start.mvc", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "GET", "statusCode": "302"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/css/main.css", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "GET", "statusCode": "200"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/registration", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "GET", "statusCode": "200"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/plugins/bootstrap/css/bootstrap.min.css", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "GET", "statusCode": "200"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/css/font-awesome.min.css", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "GET", "statusCode": "200"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/css/animate.css", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "GET", "statusCode": "200"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/login", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "POST", "statusCode": "302"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/register.mvc", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "POST", "statusCode": "200"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/login?error", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "GET", "statusCode": "200"}]}}}
\ No newline at end of file
--- a/qa/qa/specs/features/ee/browser_ui/secure/create_merge_request_with_secure_spec.rb
+++ b/qa/qa/specs/features/ee/browser_ui/secure/create_merge_request_with_secure_spec.rb
@@ -5,7 +5,7 @@ require 'pathname'
 module QA
  context 'Secure', :docker do
    describe 'Security Reports in a Merge Request' do
-      let(:total_vuln_count) { 45 }
+      let(:total_vuln_count) { 49 }

      after do
        Service::Runner.new(@executor).remove!
@@ -39,8 +39,7 @@ module QA
          push.branch_name = 'secure-mr'
        end

-        # Fabricate via browser UI to avoid independent navigation
-        Resource::MergeRequest.fabricate_via_browser_ui! do |mr|
+        merge_request = Resource::MergeRequest.fabricate_via_api! do |mr|
          mr.project = @project
          mr.source_branch = 'secure-mr'
          mr.target_branch = 'master'
@@ -48,6 +47,13 @@ module QA
          mr.target = 'master'
          mr.target_new_branch = false
        end
+
+        @project.visit!
+        Page::Project::Menu.perform(&:click_ci_cd_pipelines)
+        Page::Project::Pipeline::Index.perform(&:click_on_latest_pipeline)
+        wait_for_job "dast"
+
+        merge_request.visit!
      end

      it 'displays the Security report in the merge request' do
@@ -66,6 +72,15 @@ module QA
          expect(mergerequest).to have_title vuln_name
        end
      end
+
+      def wait_for_job(job_name)
+        Page::Project::Pipeline::Show.perform do |pipeline|
+          pipeline.click_job(job_name)
+        end
+        Page::Project::Job::Show.perform do |job|
+          expect(job).to be_successful(timeout: 600)
+        end
+      end
    end
  end
 end
--- a/qa/qa/specs/features/ee/browser_ui/secure/security_reports_spec.rb
+++ b/qa/qa/specs/features/ee/browser_ui/secure/security_reports_spec.rb
@@ -5,13 +5,15 @@ require 'pathname'
 module QA
  context 'Secure', :docker do
    let(:number_of_dependencies_in_fixture) { 1309 }
-    let(:total_vuln_count) { 12 }
+    let(:total_vuln_count) { 52 }
    let(:dependency_scan_vuln_count) { 4 }
    let(:dependency_scan_example_vuln) { 'jQuery before 3.4.0' }
    let(:container_scan_vuln_count) { 8 }
    let(:container_scan_example_vuln) { 'CVE-2017-18269 in glibc' }
    let(:sast_scan_vuln_count) { 33 }
    let(:sast_scan_example_vuln) { 'Cipher with no integrity' }
+    let(:dast_scan_vuln_count) { 7 }
+    let(:dast_scan_example_vuln) { 'Cookie Without SameSite Attribute' }

    describe 'Security Reports' do
      after do
@@ -47,7 +49,7 @@ module QA
        Page::Project::Menu.perform(&:click_ci_cd_pipelines)
        Page::Project::Pipeline::Index.perform(&:click_on_latest_pipeline)

-        wait_for_job "dependency_scanning"
+        wait_for_job "dast"
      end

      it 'displays security reports in the pipeline' do
@@ -57,6 +59,8 @@ module QA
        Page::Project::Pipeline::Show.perform do |pipeline|
          pipeline.click_on_security

+          expect(pipeline).to have_vulnerability_count_of total_vuln_count
+
          filter_report_and_perform(pipeline, "Dependency Scanning") do
            expect(pipeline).to have_vulnerability_count_of dependency_scan_vuln_count
            expect(pipeline).to have_content dependency_scan_example_vuln
@@ -71,6 +75,11 @@ module QA
            expect(pipeline).to have_vulnerability_count_of sast_scan_vuln_count
            expect(pipeline).to have_content sast_scan_example_vuln
          end
+
+          filter_report_and_perform(pipeline, "DAST") do
+            expect(pipeline).to have_vulnerability_count_of dast_scan_vuln_count
+            expect(pipeline).to have_content dast_scan_example_vuln
+          end
        end
      end

@@ -90,6 +99,10 @@ module QA
          filter_report_and_perform(dashboard, "SAST") do
            expect(dashboard).to have_low_vulnerability_count_of 17
          end
+
+          filter_report_and_perform(dashboard, "DAST") do
+            expect(dashboard).to have_low_vulnerability_count_of 6
+          end
        end
      end

@@ -114,6 +127,10 @@ module QA
          filter_report_and_perform(dashboard, "SAST") do
            expect(dashboard).to have_content sast_scan_example_vuln
          end
+
+          filter_report_and_perform(dashboard, "DAST") do
+            expect(dashboard).to have_content dast_scan_example_vuln
+          end
        end
      end