Merge branch '296855-expose-dismissal-reason-comment' into 'master'

Expose dismissal reason and dismissal descriptions in Vulnerability details view See merge request gitlab-org/gitlab!55525

Merge branch '296855-expose-dismissal-reason-comment' into 'master'
Expose dismissal reason and dismissal descriptions in Vulnerability details view See merge request gitlab-org/gitlab!55525
c7e98083 · Vitali Tatarintev · b39f2900 · 828daf10 · c7e98083 · c7e98083
Commit c7e98083 authored Mar 17, 2021 by Vitali Tatarintev
10 changed files
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -8121,11 +8121,11 @@ The dismissal reason of the Vulnerability.

 | Value | Description |
 | ----- | ----------- |
-| `ACCEPTABLE_RISK` | The likelihood of the Vulnerability occurring and its impact are deemed acceptable |
-| `FALSE_POSITIVE` | The Vulnerability was incorrectly identified as being present |
-| `MITIGATING_CONTROL` | There is a mitigating control that eliminates the Vulnerability or makes its risk acceptable |
-| `NOT_APPLICABLE` | Other reasons for dismissal |
-| `USED_IN_TESTS` | The Vulnerability is used in tests and does not pose an actual risk |
+| `ACCEPTABLE_RISK` | The vulnerability is known, and has not been remediated or mitigated, but is considered to be an acceptable business risk. |
+| `FALSE_POSITIVE` | An error in reporting in which a test result incorrectly indicates the presence of a vulnerability in a system when the vulnerability is not present. |
+| `MITIGATING_CONTROL` | A management, operational, or technical control (that is, safeguard or countermeasure) employed by an organization that provides equivalent or comparable protection for an information system. |
+| `NOT_APPLICABLE` | The vulnerability is known, and has not been remediated or mitigated, but is considered to be in a part of the application that will not be updated. |
+| `USED_IN_TESTS` | The finding is not a vulnerability because it is part of a test or is test data. |

 ### `VulnerabilityExternalIssueLinkExternalTracker`


--- a/ee/app/enums/vulnerabilities/dismissal_reason_enum.rb
+++ b/ee/app/enums/vulnerabilities/dismissal_reason_enum.rb
@@ -9,11 +9,11 @@ module Vulnerabilities
    description 'The dismissal reason of the Vulnerability'

    define do
-      acceptable_risk value: 0, description: 'The likelihood of the Vulnerability occurring and its impact are deemed acceptable'
-      false_positive value: 1, description: 'The Vulnerability was incorrectly identified as being present'
-      mitigating_control value: 2, description: 'There is a mitigating control that eliminates the Vulnerability or makes its risk acceptable'
-      used_in_tests value: 3, description: 'The Vulnerability is used in tests and does not pose an actual risk'
-      not_applicable value: 4, description: 'Other reasons for dismissal'
+      acceptable_risk value: 0, description: _('The vulnerability is known, and has not been remediated or mitigated, but is considered to be an acceptable business risk.')
+      false_positive value: 1, description: _('An error in reporting in which a test result incorrectly indicates the presence of a vulnerability in a system when the vulnerability is not present.')
+      mitigating_control value: 2, description: _('A management, operational, or technical control (that is, safeguard or countermeasure) employed by an organization that provides equivalent or comparable protection for an information system.')
+      used_in_tests value: 3, description: _('The finding is not a vulnerability because it is part of a test or is test data.')
+      not_applicable value: 4, description: _('The vulnerability is known, and has not been remediated or mitigated, but is considered to be in a part of the application that will not be updated.')
    end
  end
 end
--- a/ee/app/helpers/vulnerabilities_helper.rb
+++ b/ee/app/helpers/vulnerabilities_helper.rb
 # frozen_string_literal: true

 module VulnerabilitiesHelper
-  FINDING_FIELDS = %i[metadata identifiers name issue_feedback merge_request_feedback project project_fingerprint scanner uuid details].freeze
+  FINDING_FIELDS = %i[metadata identifiers name issue_feedback merge_request_feedback project project_fingerprint scanner uuid details dismissal_feedback].freeze

  def vulnerability_details_json(vulnerability, pipeline)
    vulnerability_details(vulnerability, pipeline).to_json

--- a/ee/app/serializers/vulnerabilities/feedback_entity.rb
+++ b/ee/app/serializers/vulnerabilities/feedback_entity.rb
@@ -49,6 +49,11 @@ class Vulnerabilities::FeedbackEntity < Grape::Entity
  end
  expose :project_fingerprint

+  expose :dismissal_reason
+  expose :dismissal_descriptions do |feedback|
+    Vulnerabilities::DismissalReasonEnum.definition.transform_values { |v| v[:description] }
+  end
+
  alias_method :feedback, :object

  private

--- a/ee/changelogs/unreleased/296855-expose-dismissal-reason-comment.yml
+++ b/ee/changelogs/unreleased/296855-expose-dismissal-reason-comment.yml
+---
+title: Expose dismissal reason and dismissal descriptions in Vulnerability details
+  view
+merge_request: 55525
+author:
+type: added
--- a/ee/spec/factories/vulnerabilities/feedback.rb
+++ b/ee/spec/factories/vulnerabilities/feedback.rb
@@ -20,6 +20,7 @@ FactoryBot.define do

    trait :dismissal do
      feedback_type { 'dismissal' }
+      dismissal_reason { 'acceptable_risk' }
    end

    trait :comment do

--- a/ee/spec/fixtures/api/schemas/vulnerability_feedback.json
+++ b/ee/spec/fixtures/api/schemas/vulnerability_feedback.json
@@ -37,7 +37,11 @@
    "project_fingerprint": { "type": "string" },
    "branch": { "type": ["string", "null"] },
    "destroy_vulnerability_feedback_dismissal_path": { "type": "string" },
-    "finding_uuid": { "type": ["string", "null"] }
+    "finding_uuid": { "type": ["string", "null"] }, 
+    "dismissal_reason": { "type": ["string", "null"] },
+    "dismissal_descriptions": {
+      "type": {"string": "string"}
+    }
  },
  "additionalProperties": false
 }
--- a/ee/spec/helpers/vulnerabilities_helper_spec.rb
+++ b/ee/spec/helpers/vulnerabilities_helper_spec.rb
@@ -4,9 +4,9 @@ require 'spec_helper'

 RSpec.describe VulnerabilitiesHelper do
  let_it_be(:user) { create(:user) }
-  let(:project) { create(:project, :repository, :public) }
-  let(:pipeline) { create(:ci_pipeline, :success, project: project) }
-  let(:finding) { create(:vulnerabilities_finding, pipelines: [pipeline], project: project, severity: :high) }
+  let_it_be(:project) { create(:project, :repository, :public) }
+  let_it_be(:pipeline) { create(:ci_pipeline, :success, project: project) }
+  let_it_be(:finding) { create(:vulnerabilities_finding, pipelines: [pipeline], project: project, severity: :high) }
  let(:vulnerability) { create(:vulnerability, title: "My vulnerability", project: project, findings: [finding]) }

  before do
@@ -43,7 +43,7 @@ RSpec.describe VulnerabilitiesHelper do
                    :details)
    end

-    let(:desired_serializer_fields) { %i[metadata identifiers name issue_feedback merge_request_feedback project project_fingerprint scanner uuid details] }
+    let(:desired_serializer_fields) { %i[metadata identifiers name issue_feedback merge_request_feedback project project_fingerprint scanner uuid details dismissal_feedback] }

    before do
      vulnerability_serializer_stub = instance_double("VulnerabilitySerializer")
@@ -270,7 +270,8 @@ RSpec.describe VulnerabilitiesHelper do
        assets: kind_of(Array),
        supporting_messages: kind_of(Array),
        uuid: kind_of(String),
-        details: kind_of(Hash)
+        details: kind_of(Hash),
+        dismissal_feedback: anything
      )

      expect(subject[:location]['blob_path']).to match(kind_of(String))
@@ -286,6 +287,17 @@ RSpec.describe VulnerabilitiesHelper do
        expect(subject[:location]).not_to have_key('blob_path')
      end
    end
+
+    context 'with existing dismissal feedback' do
+      let_it_be(:feedback) { create(:vulnerability_feedback, :comment, :dismissal, project: project, pipeline: pipeline, project_fingerprint: finding.project_fingerprint) }
+
+      it 'returns dismissal feedback information', :aggregate_failures do
+        dismissal_feedback = subject[:dismissal_feedback]
+        expect(dismissal_feedback[:dismissal_reason]).to eq(feedback.dismissal_reason)
+        expect(dismissal_feedback[:dismissal_descriptions]).to eq(Vulnerabilities::DismissalReasonEnum.definition.transform_values { |v| v[:description] })
+        expect(dismissal_feedback[:comment_details][:comment]).to eq(feedback.comment)
+      end
+    end
  end

  describe '#vulnerability_scan_data?' do

--- a/ee/spec/serializers/vulnerabilities/feedback_entity_spec.rb
+++ b/ee/spec/serializers/vulnerabilities/feedback_entity_spec.rb
@@ -178,4 +178,28 @@ RSpec.describe Vulnerabilities::FeedbackEntity do
      expect(subject[:finding_uuid]).to eq(finding.uuid)
    end
  end
+
+  context 'when dismissal_reason is not present' do
+    let(:feedback) { build_stubbed(:vulnerability_feedback, :issue, project: project) }
+
+    it "returns nil" do
+      expect(subject[:dismissal_reason]).to be_nil
+    end
+  end
+
+  context 'when dismissal_reason is present' do
+    let(:feedback) { build_stubbed(:vulnerability_feedback, :dismissal, project: project) }
+
+    it 'exposes dismissal_reason' do
+      expect(subject[:dismissal_reason]).to eq(feedback.dismissal_reason)
+    end
+  end
+
+  context 'when dismissal descriptions are available' do
+    let(:feedback) { build_stubbed(:vulnerability_feedback, :dismissal, project: project) }
+
+    it 'exposes dismissal_descriptions' do
+      expect(subject[:dismissal_descriptions]).to eq(Vulnerabilities::DismissalReasonEnum.definition.transform_values { |v| v[:description] })
+    end
+  end
 end
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -1368,6 +1368,9 @@ msgstr ""
 msgid "A limit of %{ci_project_subscriptions_limit} subscriptions to or from a project applies."
 msgstr ""

+msgid "A management, operational, or technical control (that is, safeguard or countermeasure) employed by an organization that provides equivalent or comparable protection for an information system."
+msgstr ""
+
 msgid "A member of the abuse team will review your report as soon as possible."
 msgstr ""

@@ -3262,6 +3265,9 @@ msgstr ""
 msgid "An error has occurred"
 msgstr ""

+msgid "An error in reporting in which a test result incorrectly indicates the presence of a vulnerability in a system when the vulnerability is not present."
+msgstr ""
+
 msgid "An error occurred adding a draft to the thread."
 msgstr ""

@@ -29992,6 +29998,9 @@ msgstr ""
 msgid "The file name should have a .yml extension"
 msgstr ""

+msgid "The finding is not a vulnerability because it is part of a test or is test data."
+msgstr ""
+
 msgid "The following %{user} can also merge into this branch: %{branch}"
 msgstr ""

@@ -30294,6 +30303,12 @@ msgstr ""
 msgid "The visualization will appear in this tab when the CI/CD configuration file is populated with valid syntax."
 msgstr ""

+msgid "The vulnerability is known, and has not been remediated or mitigated, but is considered to be an acceptable business risk."
+msgstr ""
+
+msgid "The vulnerability is known, and has not been remediated or mitigated, but is considered to be in a part of the application that will not be updated."
+msgstr ""
+
 msgid "The vulnerability is no longer detected. Verify the vulnerability has been fixed or removed before changing its status."
 msgstr ""