Show DAST in Group Security Dashboard Back-End

doc/user/group/security_dashboard/index.md

@@ -34,14 +34,16 @@ each one separately.
 
 The group security dashboard supports [SAST](../../project/merge_requests/sast.md),
 [Dependency Scanning](../../project/merge_requests/dependency_scanning.md),
-and [Container Scanning](../../project/merge_requests/container_scanning.md).
+[Container Scanning](../../project/merge_requests/container_scanning.md), 
+and [DAST](../../project/merge_requests/dast.md).
 
 ## Requirements
 
 To use the group security dashboard:
 
 1. At least one project inside a group must be configured with
-   [Static Application Security Testing](../../project/merge_requests/sast.md), or [Dependency Scanning](../../project/merge_requests/dependency_scanning.md).
+   [Static Application Security Testing](../../project/merge_requests/sast.md), or [Dependency Scanning](../../project/merge_requests/dependency_scanning.md), 
+   or [Container Scanning](../../project/merge_requests/container_scanning.md), or [Dynamic Application Security Testing](../../project/merge_requests/dast.md).
 2. The configured jobs must use the [new `reports` syntax](../../../ci/yaml/README.md#artifactsreports) (see an [example job](../../../ci/examples/sast.md)).
 3. [GitLab Runner](https://docs.gitlab.com/runner/) 11.5 or above must be used to execute the jobs.
 

ee/app/controllers/groups/security/vulnerabilities_controller.rb

@@ -3,11 +3,6 @@
 class Groups::Security::VulnerabilitiesController < Groups::Security::ApplicationController
   HISTORY_RANGE = 3.months
 
-  # NOTE: we need this scope because DAST vulnerabilities
-  # shouldn't appear in the Group Dashboard in the same as we're starting
-  # to save them in the database
-  DEFAULT_REPORT_SCOPE = [:sast, :dependency_scanning, :container_scanning].freeze
-
   def index
     vulnerabilities = found_vulnerabilities.ordered.page(params[:page])
 
@@ -44,10 +39,8 @@ class Groups::Security::VulnerabilitiesController < Groups::Security::Applicatio
   private
 
   def filter_params
-    filter_params = params.permit(report_type: [], project_id: [], severity: [])
-                          .merge(hide_dismissed: Gitlab::Utils.to_boolean(params[:hide_dismissed]))
-    filter_params[:report_type] ||= DEFAULT_REPORT_SCOPE
-    filter_params
+    params.permit(report_type: [], project_id: [], severity: [])
+      .merge(hide_dismissed: Gitlab::Utils.to_boolean(params[:hide_dismissed]))
   end
 
   def found_vulnerabilities(collection = :latest)

ee/app/models/ee/ci/build.rb

@@ -65,7 +65,7 @@ module EE
               ::Feature.disabled?(:parse_container_scanning_reports, default_enabled: true)
 
           next if file_type == "dast" &&
-              ::Feature.disabled?(:parse_dast_reports, default_enabled: false)
+              ::Feature.disabled?(:parse_dast_reports, default_enabled: true)
 
           security_reports.get_report(file_type).tap do |security_report|
             next unless project.feature_available?(LICENSED_PARSER_FEATURES.fetch(file_type))

ee/changelogs/unreleased/dast-in-group-dashboard-be.yml

+---
+title: Show DAST in Group Security Dashboard Back-End
+merge_request: 10277
+author:
+type: added

ee/spec/controllers/groups/security/vulnerabilities_controller_spec.rb

@@ -108,7 +108,6 @@ describe Groups::Security::VulnerabilitiesController do
         context 'with multiple report types' do
           before do
             projects.each do |project|
-              create_vulnerabilities(1, project_guest, { report_type: :dast })
               create_vulnerabilities(2, project_guest, { report_type: :sast })
               create_vulnerabilities(1, project_dev, { report_type: :dependency_scanning })
             end
@@ -219,14 +218,14 @@ describe Groups::Security::VulnerabilitiesController do
           group.add_developer(user)
         end
 
-        it 'returns vulnerabilities counts for :sast and :dependency_scanning' do
+        it 'returns vulnerabilities counts for all report types' do
           subject
 
           expect(response).to have_gitlab_http_status(200)
           expect(json_response).to be_an(Hash)
           expect(json_response['high']).to eq(3)
-          expect(json_response['low']).to eq(3)
-          expect(json_response['medium']).to eq(0)
+          expect(json_response['low']).to eq(4)
+          expect(json_response['medium']).to eq(1)
           expect(response).to match_response_schema('vulnerabilities/summary', dir: 'ee')
         end
 
@@ -323,11 +322,11 @@ describe Groups::Security::VulnerabilitiesController do
 
           expect(response).to have_gitlab_http_status(200)
           expect(json_response).to be_an(Hash)
-          expect(json_response['total']).to eq({ '2018-11-10' => 5, '2018-11-12' => 3 })
+          expect(json_response['total']).to eq({ '2018-11-10' => 5, '2018-11-12' => 5 })
           expect(json_response['critical']).to eq({ '2018-11-10' => 1 })
           expect(json_response['high']).to eq({ '2018-11-10' => 2, '2018-11-12' => 1 })
-          expect(json_response['medium']).to eq({})
-          expect(json_response['low']).to eq({ '2018-11-10' => 2, '2018-11-12' => 2 })
+          expect(json_response['medium']).to eq({ '2018-11-12' => 1 })
+          expect(json_response['low']).to eq({ '2018-11-10' => 2, '2018-11-12' => 3 })
           expect(response).to match_response_schema('vulnerabilities/history', dir: 'ee')
         end