Merge branch...

Merge branch '250353-convert-issues-createfromvulnerabilityservice-to-work-similar-to-issues-buildservice-add-route' into 'master' Add route to build issue from vulnerability See merge request gitlab-org/gitlab!47528

Merge branch...
Merge branch '250353-convert-issues-createfromvulnerabilityservice-to-work-similar-to-issues-buildservice-add-route' into 'master' Add route to build issue from vulnerability See merge request gitlab-org/gitlab!47528
f53be7f0 · Markus Koller · f8165f37 · 7d3af592 · f53be7f0 · f53be7f0
Commit f53be7f0 authored Dec 01, 2020 by Markus Koller
9 changed files
--- a/app/controllers/projects/issues_controller.rb
+++ b/app/controllers/projects/issues_controller.rb
@@ -73,6 +73,8 @@ class Projects::IssuesController < Projects::ApplicationController
  feature_category :service_desk, [:service_desk]
  feature_category :importers, [:import_csv, :export_csv]

+  attr_accessor :vulnerability_id
+
  def index
    @issues = @issuables

@@ -124,6 +126,8 @@ class Projects::IssuesController < Projects::ApplicationController
    service = ::Issues::CreateService.new(project, current_user, create_params)
    @issue = service.execute

+    create_vulnerability_issue_link(issue)
+
    if service.discussions_to_resolve.count(&:resolved?) > 0
      flash[:notice] = if service.discussion_to_resolve_id
                         _("Resolved 1 discussion.")
@@ -384,6 +388,9 @@ class Projects::IssuesController < Projects::ApplicationController
  def service_desk?
    action_name == 'service_desk'
  end
+
+  # Overridden in EE
+  def create_vulnerability_issue_link(issue); end
 end

 Projects::IssuesController.prepend_if_ee('EE::Projects::IssuesController')
--- a/app/views/shared/issuable/_form.html.haml
+++ b/app/views/shared/issuable/_form.html.haml
@@ -88,3 +88,6 @@
  = form.hidden_field :issue_type

 = form.hidden_field :lock_version
+
+- if @vulnerability_id
+  = hidden_field_tag 'vulnerability_id', @vulnerability_id
--- a/ee/app/controllers/ee/projects/issues_controller.rb
+++ b/ee/app/controllers/ee/projects/issues_controller.rb
@@ -10,6 +10,9 @@ module EE
        include DescriptionDiffActions

        before_action :whitelist_query_limiting_ee, only: [:update]
+        before_action only: [:new, :create] do
+          populate_vulnerability_id
+        end

        feature_category :issue_tracking, [:delete_description_version, :description_diff]
      end
@@ -36,6 +39,57 @@ module EE
      def whitelist_query_limiting_ee
        ::Gitlab::QueryLimiting.whitelist('https://gitlab.com/gitlab-org/gitlab/issues/4794')
      end
+
+      def issue_params
+        super.tap do |params|
+          if vulnerability_id
+            params.merge!(issue_build_parameters)
+          end
+        end
+      end
+
+      def create_vulnerability_issue_link(issue)
+        return unless issue.persisted? && vulnerability
+
+        result = VulnerabilityIssueLinks::CreateService.new(
+          current_user,
+          vulnerability,
+          issue,
+          link_type: Vulnerabilities::IssueLink.link_types[:created]
+        ).execute
+
+        flash[:alert] = render_vulnerability_link_alert if result.status == :error
+      end
+
+      def vulnerability
+        project.vulnerabilities.find(vulnerability_id) if vulnerability_id
+      end
+
+      def issue_build_parameters
+        {
+          title: _("Investigate vulnerability: %{title}") % { title: vulnerability.title },
+          description: render_description,
+          confidential: true
+        }
+      end
+
+      def render_description
+        render_to_string(
+          template: 'vulnerabilities/issue_description.md.erb',
+          locals: { vulnerability: vulnerability.present }
+        )
+      end
+
+      def render_vulnerability_link_alert
+        render_to_string(
+          partial: 'vulnerabilities/unable_to_link_vulnerability.html.haml',
+          locals: { vulnerability_link: vulnerability_path(vulnerability) }
+        )
+      end
+
+      def populate_vulnerability_id
+        self.vulnerability_id = params[:vulnerability_id] if can?(current_user, :read_vulnerability, project)
+      end
    end
  end
 end
--- a/ee/app/views/vulnerabilities/_unable_to_link_vulnerability.html.haml
+++ b/ee/app/views/vulnerabilities/_unable_to_link_vulnerability.html.haml
+%span.gl-alert-title
+  = _('Unable to create link to vulnerability')
+.gl-alert-body
+  - originating_vulnerability_link = link_to _('originating vulnerability'), vulnerability_link
+  = _('Manually link this issue by adding it to the linked issue section of the %{originating_vulnerability}.').html_safe % { originating_vulnerability: originating_vulnerability_link }
--- a/ee/changelogs/unreleased/250353-convert-issues-createfromvulnerabilityservice-to-work-similar-t.yml
+++ b/ee/changelogs/unreleased/250353-convert-issues-createfromvulnerabilityservice-to-work-similar-t.yml
+---
+title: Issues can be built with vulnerability information
+merge_request: 47528
+author:
+type: changed
--- a/ee/spec/controllers/projects/issues_controller_spec.rb
+++ b/ee/spec/controllers/projects/issues_controller_spec.rb
@@ -26,7 +26,7 @@ RSpec.describe Projects::IssuesController do

    context 'licensed' do
      before do
-        stub_licensed_features(issue_weights: true, epics: true)
+        stub_licensed_features(issue_weights: true, epics: true, security_dashboard: true)
      end

      describe '#index' do
@@ -60,6 +60,23 @@ RSpec.describe Projects::IssuesController do
        end
      end

+      describe '#new' do
+        render_views
+
+        context 'when a vulnerability_id is provided' do
+          let(:pipeline) { create(:ci_pipeline, project: project) }
+          let(:finding) { create(:vulnerabilities_finding, pipelines: [pipeline]) }
+          let(:vulnerability) { create(:vulnerability, project: project, findings: [finding]) }
+          let(:vulnerability_field) { "<input type=\"hidden\" name=\"vulnerability_id\" id=\"vulnerability_id\" value=\"#{vulnerability.id}\" />" }
+
+          it 'sets the vulnerability_id' do
+            get :new, params: { namespace_id: project.namespace, project_id: project, vulnerability_id: vulnerability.id }
+
+            expect(response.body).to include(vulnerability_field)
+          end
+        end
+      end
+
      describe '#create' do
        it 'sets issue weight and epic' do
          perform :post, :create, issue: new_issue.attributes.merge(epic_id: epic.id)
@@ -71,12 +88,52 @@ RSpec.describe Projects::IssuesController do
          expect(issue.weight).to eq(new_issue.weight)
          expect(issue.epic).to eq(epic)
        end
+
+        context 'when created from a vulnerability' do
+          let(:pipeline) { create(:ci_pipeline, project: project) }
+          let(:finding) { create(:vulnerabilities_finding, pipelines: [pipeline]) }
+          let(:vulnerability) { create(:vulnerability, project: project, findings: [finding]) }
+
+          before do
+            stub_licensed_features(security_dashboard: true)
+          end
+
+          it 'links the issue to the vulnerability' do
+            send_request
+
+            expect(project.issues.last.vulnerability_links.first.vulnerability).to eq(vulnerability)
+          end
+
+          context 'when vulnerability already has a linked issue' do
+            render_views
+
+            let!(:vulnerabilities_issue_link) { create(:vulnerabilities_issue_link, :created, vulnerability: vulnerability) }
+
+            it 'shows an error message' do
+              send_request
+
+              expect(flash[:alert]).to include('Unable to create link to vulnerability')
+              expect(vulnerability.issue_links.map(&:issue)).to eq([vulnerabilities_issue_link.issue])
+            end
+          end
+
+          private
+
+          def send_request
+            post :create, params: {
+              namespace_id: project.namespace.to_param,
+              project_id: project,
+              issue: { title: 'Title', description: 'Description' },
+              vulnerability_id: vulnerability.id
+            }
+          end
+        end
      end
    end

    context 'unlicensed' do
      before do
-        stub_licensed_features(issue_weights: false, epics: false)
+        stub_licensed_features(issue_weights: false, epics: false, security_dashboard: false)
      end

      describe '#index' do
@@ -100,6 +157,24 @@ RSpec.describe Projects::IssuesController do
        end
      end

+      describe '#new' do
+        render_views
+
+        context 'when a vulnerability_id is provided' do
+          let(:pipeline) { create(:ci_pipeline, project: project) }
+          let(:finding) { create(:vulnerabilities_finding, pipelines: [pipeline]) }
+          let(:vulnerability) { create(:vulnerability, project: project, findings: [finding]) }
+          let(:vulnerability_field) { "<input type=\"hidden\" name=\"vulnerability_id\" id=\"vulnerability_id\" value=\"#{vulnerability.id}\" />" }
+
+          it 'does not build issue from a vulnerability' do
+            get :new, params: { namespace_id: project.namespace, project_id: project, vulnerability_id: vulnerability.id }
+
+            expect(response.body).not_to include(vulnerability_field)
+            expect(issue.description).to be_nil
+          end
+        end
+      end
+
      describe '#create' do
        it 'does not set issue weight ane epic' do
          perform :post, :create, issue: new_issue.attributes

--- a/ee/spec/factories/vulnerabilities.rb
+++ b/ee/spec/factories/vulnerabilities.rb
@@ -101,6 +101,21 @@ FactoryBot.define do
      end
    end

+    trait :with_pipeline do
+      after(:build) do |vulnerability|
+        finding = build(
+          :vulnerabilities_finding,
+          :identifier,
+          :with_pipeline,
+          vulnerability: vulnerability,
+          report_type: vulnerability.report_type,
+          project: vulnerability.project
+        )
+
+        vulnerability.findings = [finding]
+      end
+    end
+
    trait :with_findings do
      after(:build) do |vulnerability|
        findings_with_solution = build_list(

--- a/ee/spec/factories/vulnerabilities/findings.rb
+++ b/ee/spec/factories/vulnerabilities/findings.rb
@@ -198,6 +198,14 @@ FactoryBot.define do
      end
    end

+    trait :with_pipeline do
+      after(:create) do |finding|
+        pipeline = create(:ci_pipeline, project: finding.project)
+
+        finding.pipelines = [pipeline]
+      end
+    end
+
    trait :identifier do
      after(:build) do |finding|
        identifier = build(

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -16494,6 +16494,9 @@ msgstr ""
 msgid "ManualOrdering|Couldn't save the order of the issues"
 msgstr ""

+msgid "Manually link this issue by adding it to the linked issue section of the %{originating_vulnerability}."
+msgstr ""
+
 msgid "Map a FogBugz account ID to a GitLab user"
 msgstr ""

@@ -28977,6 +28980,9 @@ msgstr ""
 msgid "Unable to convert Kubernetes logs encoding to UTF-8"
 msgstr ""

+msgid "Unable to create link to vulnerability"
+msgstr ""
+
 msgid "Unable to fetch unscanned projects"
 msgstr ""

@@ -32815,6 +32821,9 @@ msgstr ""
 msgid "or"
 msgstr ""

+msgid "originating vulnerability"
+msgstr ""
+
 msgid "out of %d total test"
 msgid_plural "out of %d total tests"
 msgstr[0] ""