Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
9d36e51a
Commit
9d36e51a
authored
Dec 11, 2020
by
Peter Leitzen
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch '215669-service-for-auto-fix' into 'master'
Add Auto Fix service See merge request gitlab-org/gitlab!48679
parents
0bff6c12
a3c15a14
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
193 additions
and
0 deletions
+193
-0
ee/app/services/security/auto_fix_service.rb
ee/app/services/security/auto_fix_service.rb
+60
-0
ee/spec/factories/vulnerabilities/findings.rb
ee/spec/factories/vulnerabilities/findings.rb
+19
-0
ee/spec/services/security/auto_fix_service_spec.rb
ee/spec/services/security/auto_fix_service_spec.rb
+114
-0
No files found.
ee/app/services/security/auto_fix_service.rb
0 → 100644
View file @
9d36e51a
# frozen_string_literal: true
module
Security
class
AutoFixService
def
initialize
(
project
,
pipeline
)
@project
=
project
@pipeline
=
pipeline
end
def
execute
return
ServiceResponse
.
error
(
message:
'Auto fix is disabled'
)
unless
project
.
security_setting
.
auto_fix_enabled?
vulnerabilities
=
pipeline
.
vulnerability_findings
.
by_report_types
(
auto_fix_enabled_types
)
processed_vuln_ids
=
[]
vulnerabilities
.
each
do
|
vulnerability
|
next
if
vulnerability
.
merge_request_feedback
.
try
(
:merge_request_id
)
next
unless
vulnerability
.
remediations
result
=
VulnerabilityFeedback
::
CreateService
.
new
(
project
,
User
.
security_bot
,
service_params
(
vulnerability
)).
execute
processed_vuln_ids
.
push
vulnerability
.
id
if
result
[
:status
]
==
:success
end
if
processed_vuln_ids
.
any?
ServiceResponse
.
success
else
ServiceResponse
.
error
(
message:
'Impossible to create Merge Requests'
)
end
end
private
attr_reader
:project
,
:pipeline
def
auto_fix_enabled_types
project
.
security_setting
.
auto_fix_enabled_types
end
def
service_params
(
vulnerability
)
{
feedback_type: :merge_request
,
category:
vulnerability
.
report_type
,
project_fingerprint:
vulnerability
.
project_fingerprint
,
vulnerability_data:
{
severity:
vulnerability
.
severity
,
confidence:
vulnerability
.
confidence
,
description:
vulnerability
.
description
,
solution:
vulnerability
.
solution
,
remediations:
vulnerability
.
remediations
,
category:
vulnerability
.
report_type
,
title:
vulnerability
.
name
,
name:
vulnerability
.
name
,
location:
vulnerability
.
location
,
links:
vulnerability
.
links
,
identifiers:
vulnerability
.
identifiers
.
map
(
&
:attributes
)
}
}
end
end
end
ee/spec/factories/vulnerabilities/findings.rb
View file @
9d36e51a
...
@@ -23,6 +23,25 @@ FactoryBot.define do
...
@@ -23,6 +23,25 @@ FactoryBot.define do
finding
.
raw_metadata
=
raw_metadata
.
to_json
finding
.
raw_metadata
=
raw_metadata
.
to_json
end
end
end
end
trait
:yarn_remediation
do
after
(
:build
)
do
|
finding
,
evaluator
|
if
evaluator
.
summary
raw_metadata
=
Gitlab
::
Json
.
parse
(
finding
.
raw_metadata
)
raw_metadata
[
'remediations'
]
=
[
{
summary:
evaluator
.
summary
,
diff:
Base64
.
encode64
(
File
.
read
(
File
.
join
(
Rails
.
root
.
join
(
'ee/spec/fixtures/security_reports/remediations'
),
"remediation.patch"
)
))
}
]
finding
.
raw_metadata
=
raw_metadata
.
to_json
end
end
end
end
end
factory
:vulnerabilities_finding
,
class:
'Vulnerabilities::Finding'
do
factory
:vulnerabilities_finding
,
class:
'Vulnerabilities::Finding'
do
...
...
ee/spec/services/security/auto_fix_service_spec.rb
0 → 100644
View file @
9d36e51a
# frozen_string_literal: true
require
'spec_helper'
RSpec
.
describe
Security
::
AutoFixService
do
describe
'#execute'
do
subject
(
:execute_service
)
{
described_class
.
new
(
project
,
pipeline
).
execute
}
let
(
:pipeline
)
{
create
(
:ee_ci_pipeline
,
:success
,
project:
project
)
}
let
(
:project
)
{
create
(
:project
,
:custom_repo
,
files:
{
'yarn.lock'
=>
yarn_lock_content
})
}
let
(
:remediations_folder
)
{
Rails
.
root
.
join
(
'ee/spec/fixtures/security_reports/remediations'
)
}
let
(
:yarn_lock_content
)
do
File
.
read
(
File
.
join
(
remediations_folder
,
"yarn.lock"
)
)
end
let
(
:remediation_diff
)
do
Base64
.
encode64
(
File
.
read
(
File
.
join
(
remediations_folder
,
"remediation.patch"
)
)
)
end
shared_examples
'disabled auto-fix error'
do
it
'returns error'
do
result
=
execute_service
expect
(
result
).
to
be_error
expect
(
result
.
message
).
to
eq
(
'Auto fix is disabled'
)
end
end
before
do
stub_licensed_features
(
vulnerability_auto_fix:
true
)
end
context
'when remediations'
do
let!
(
:vulnerability
)
do
create
(
:vulnerabilities_finding_with_remediation
,
:yarn_remediation
,
:identifier
,
project:
project
,
pipelines:
[
pipeline
],
report_type: :dependency_scanning
,
summary:
'Test remediation'
)
end
it
'creates MR'
do
result
=
execute_service
identifier
=
vulnerability
.
identifiers
.
last
merge_request
=
MergeRequest
.
last!
expect
(
result
).
to
be_success
expect
(
merge_request
.
title
).
to
eq
(
"Resolve vulnerability: Cipher with no integrity"
)
expect
(
merge_request
.
description
).
to
include
(
"[
#{
identifier
.
external_id
}
](
#{
identifier
.
url
}
)"
)
end
context
'when merge request exists'
do
let
(
:feedback
)
{
create
(
:vulnerability_feedback
,
:merge_request
)
}
before
do
allow_next_found_instance_of
(
Vulnerabilities
::
Finding
)
do
|
finding
|
allow
(
finding
).
to
receive
(
:merge_request_feedback
).
and_return
(
feedback
)
end
end
it
'does not create second merge request'
do
execute_service
expect
(
Vulnerabilities
::
Feedback
.
count
).
to
eq
(
1
)
end
end
end
context
'with disabled auto-fix'
do
before
do
project
.
security_setting
.
update!
(
auto_fix_dependency_scanning:
false
,
auto_fix_container_scanning:
false
)
end
it_behaves_like
'disabled auto-fix error'
end
context
'with disabled licensed feature'
do
before
do
stub_licensed_features
(
vulnerability_auto_fix:
false
)
end
it_behaves_like
'disabled auto-fix error'
end
context
'when feature flag is disabled'
do
before
do
stub_feature_flags
(
security_auto_fix:
false
)
end
it_behaves_like
'disabled auto-fix error'
end
context
'without remediations'
do
before
do
create
(
:vulnerabilities_finding
,
report_type: :dependency_scanning
,
pipelines:
[
pipeline
],
project:
project
)
end
it
'does not create merge request'
do
result
=
execute_service
expect
(
result
).
to
be_error
expect
(
result
.
message
).
to
eq
(
'Impossible to create Merge Requests'
)
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment