Merge branch '13084-parse-licenses-to-dl' into 'master'

Merge License info to Dependency List report See merge request gitlab-org/gitlab-ee!15157

Merge branch '13084-parse-licenses-to-dl' into 'master'
Merge License info to Dependency List report See merge request gitlab-org/gitlab-ee!15157
dd692733 · Jan Provaznik · 22c25d2d · 512d82dc · dd692733 · dd692733
Commit dd692733 authored Aug 19, 2019 by Jan Provaznik
10 changed files
--- a/ee/app/models/ee/ci/build.rb
+++ b/ee/app/models/ee/ci/build.rb
@@ -78,6 +78,10 @@ module EE
          each_report(::Ci::JobArtifact::DEPENDENCY_LIST_REPORT_FILE_TYPES) do |file_type, blob|
            dependency_list.parse!(blob, dependency_list_report)
          end
+
+          each_report(::Ci::JobArtifact::LICENSE_MANAGEMENT_REPORT_FILE_TYPES) do |file_type, blob|
+            dependency_list.parse_licenses!(blob, dependency_list_report)
+          end
        end

        dependency_list_report

--- a/ee/changelogs/unreleased/13084-parse-licenses-to-dl.yml
+++ b/ee/changelogs/unreleased/13084-parse-licenses-to-dl.yml
+---
+title: Merge License info to Dependency List report
+merge_request: 15157
+author:
+type: added
--- a/ee/lib/gitlab/ci/parsers/security/dependency_list.rb
+++ b/ee/lib/gitlab/ci/parsers/security/dependency_list.rb
@@ -10,7 +10,7 @@ module Gitlab
          end

          def parse!(json_data, report)
-            report_data = JSON.parse!(json_data)
+            report_data = JSON.parse(json_data)
            report_data.fetch('dependency_files', []).each do |file|
              file['dependencies'].each do |dependency|
                report.add_dependency(formatter.format(dependency,
@@ -21,6 +21,13 @@ module Gitlab
            end
          end

+          def parse_licenses!(json_data, report)
+            licenses = JSON.parse(json_data, symbolize_names: true)
+            licenses[:dependencies].each do |license|
+              report.apply_license(license)
+            end
+          end
+
          private

          attr_reader :formatter

--- a/ee/lib/gitlab/ci/parsers/security/formatters/dependency_list.rb
+++ b/ee/lib/gitlab/ci/parsers/security/formatters/dependency_list.rb
@@ -20,7 +20,8 @@ module Gitlab
                  path:      file_path
                },
                version:  dependency['version'],
-                vulnerabilities: collect_vulnerabilities(vulnerabilities, dependency, file_path)
+                vulnerabilities: collect_vulnerabilities(vulnerabilities, dependency, file_path),
+                licenses: []
              }
            end


--- a/ee/lib/gitlab/ci/reports/dependency_list/report.rb
+++ b/ee/lib/gitlab/ci/reports/dependency_list/report.rb
@@ -14,6 +14,14 @@ module Gitlab
          def add_dependency(dependency)
            dependencies << dependency
          end
+
+          def apply_license(license)
+            dependencies.each do |dependency|
+              next unless dependency[:name] == license[:dependency][:name]
+
+              dependency[:licenses] << license[:license]
+            end
+          end
        end
      end
    end

--- a/ee/spec/factories/dependencies.rb
+++ b/ee/spec/factories/dependencies.rb
@@ -5,6 +5,7 @@ FactoryBot.define do
    name 'nokogiri'
    packager 'Ruby (Bundler)'
    version '1.8.0'
+    licenses { [] }
    location do
      {
        blob_path: '/some_project/path/Gemfile.lock',

--- a/ee/spec/lib/gitlab/ci/parsers/security/dependency_list_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/security/dependency_list_spec.rb
@@ -6,10 +6,9 @@ describe Gitlab::Ci::Parsers::Security::DependencyList do
  let(:parser) { described_class.new(project, sha) }
  let(:project) { create(:project) }
  let(:sha) { '4242424242424242' }
+  let(:report) { Gitlab::Ci::Reports::DependencyList::Report.new }

  describe '#parse!' do
-    let(:report) { Gitlab::Ci::Reports::DependencyList::Report.new }
-
    before do
      artifact.each_blob do |blob|
        parser.parse!(blob, report)
@@ -53,4 +52,37 @@ describe Gitlab::Ci::Parsers::Security::DependencyList do
      end
    end
  end
+
+  describe '#parse_licenses!' do
+    let(:artifact) { create(:ee_ci_job_artifact, :license_management) }
+    let(:dependency_info) { build(:dependency, :with_vulnerabilities) }
+
+    before do
+      report.add_dependency(dependency)
+
+      artifact.each_blob do |blob|
+        parser.parse_licenses!(blob, report)
+      end
+    end
+
+    context 'with existing license' do
+      let(:dependency) { dependency_info }
+
+      it 'apply license to dependency' do
+        licenses = report.dependencies.last[:licenses]
+
+        expect(licenses.count).to eq(1)
+        expect(licenses[0][:name]).to eq('MIT')
+        expect(licenses[0][:url]).to eq('http://opensource.org/licenses/mit-license')
+      end
+    end
+
+    context 'without existing license' do
+      let(:dependency) { dependency_info.merge(name: 'irigokon') }
+
+      it 'does not apply any license if name mismatch' do
+        expect(report.dependencies.first[:licenses]).to be_empty
+      end
+    end
+  end
 end
--- a/ee/spec/lib/gitlab/ci/parsers/security/formatters/dependency_list_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/security/formatters/dependency_list_spec.rb
@@ -33,6 +33,7 @@ describe Gitlab::Ci::Parsers::Security::Formatters::DependencyList do
        expect(data[:location][:path]).to eq('rails/Gemfile.lock')
        expect(data[:version]).to eq('2.2.0')
        expect(data[:vulnerabilities]).to be_empty
+        expect(data[:licenses]).to be_empty
      end
    end


--- a/ee/spec/models/ci/build_spec.rb
+++ b/ee/spec/models/ci/build_spec.rb
@@ -235,7 +235,8 @@ describe Ci::Build do
  end

  describe '#collect_dependency_list_reports!' do
-    let!(:artifact) { create(:ee_ci_job_artifact, :dependency_list, job: job, project: job.project) }
+    let!(:dl_artifact) { create(:ee_ci_job_artifact, :dependency_list, job: job, project: job.project) }
+    let!(:lm_artifact) { create(:ee_ci_job_artifact, :license_management, job: job, project: job.project) }
    let(:dependency_list_report) { Gitlab::Ci::Reports::DependencyList::Report.new }

    subject { job.collect_dependency_list_reports!(dependency_list_report) }
@@ -248,10 +249,13 @@ describe Ci::Build do
      it 'parses blobs and add the results to the report' do
        subject
        blob_path = "/#{project.full_path}/blob/#{job.sha}/yarn/yarn.lock"
+        mini_portile2 = dependency_list_report.dependencies[0]
+        yarn = dependency_list_report.dependencies[20]

        expect(dependency_list_report.dependencies.count).to eq(21)
-        expect(dependency_list_report.dependencies[0][:name]).to eq('mini_portile2')
-        expect(dependency_list_report.dependencies[20][:location][:blob_path]).to eq(blob_path)
+        expect(mini_portile2[:name]).to eq('mini_portile2')
+        expect(mini_portile2[:licenses][0][:name]).to eq('MIT')
+        expect(yarn[:location][:blob_path]).to eq(blob_path)
      end
    end


--- a/ee/spec/serializers/dependency_entity_spec.rb
+++ b/ee/spec/serializers/dependency_entity_spec.rb
@@ -23,12 +23,12 @@ describe DependencyEntity do
      end

      it do
-        is_expected.to eq(dependency)
+        is_expected.to eq(dependency.except(:licenses))
      end
    end

    context 'with reporter' do
-      let(:dependency_info) { build(:dependency) }
+      let(:dependency_info) { build(:dependency).except(:licenses) }

      before do
        project.add_reporter(user)