Commit 12809ca5 authored by Jan Provaznik's avatar Jan Provaznik

Merge branch '280593-corpus-management-configuration' into 'master'

Add Corpus management to security configuration page

See merge request gitlab-org/gitlab!69302
parents e4b30512 bf7b8903
......@@ -10,6 +10,7 @@ import {
REPORT_TYPE_CONTAINER_SCANNING,
REPORT_TYPE_CLUSTER_IMAGE_SCANNING,
REPORT_TYPE_COVERAGE_FUZZING,
REPORT_TYPE_CORPUS_MANAGEMENT,
REPORT_TYPE_API_FUZZING,
REPORT_TYPE_LICENSE_COMPLIANCE,
} from '~/vue_shared/security_reports/constants';
......@@ -104,6 +105,12 @@ export const COVERAGE_FUZZING_CONFIG_HELP_PATH = helpPagePath(
{ anchor: 'configuration' },
);
export const CORPUS_MANAGEMENT_NAME = __('Corpus Management');
export const CORPUS_MANAGEMENT_DESCRIPTION = s__(
'SecurityConfiguration|Manage corpus files used as mutation sources in coverage fuzzing.',
);
export const CORPUS_MANAGEMENT_CONFIG_TEXT = s__('SecurityConfiguration|Manage corpus');
export const API_FUZZING_NAME = __('API Fuzzing');
export const API_FUZZING_DESCRIPTION = __('Find bugs in your code with API fuzzing.');
export const API_FUZZING_HELP_PATH = helpPagePath('user/application_security/api_fuzzing/index');
......@@ -202,6 +209,14 @@ export const securityFeatures = [
helpPath: COVERAGE_FUZZING_HELP_PATH,
configurationHelpPath: COVERAGE_FUZZING_CONFIG_HELP_PATH,
type: REPORT_TYPE_COVERAGE_FUZZING,
secondary: gon?.features?.corpusManagement
? {
type: REPORT_TYPE_CORPUS_MANAGEMENT,
name: CORPUS_MANAGEMENT_NAME,
description: CORPUS_MANAGEMENT_DESCRIPTION,
configurationText: CORPUS_MANAGEMENT_CONFIG_TEXT,
}
: {},
},
];
......
......@@ -24,6 +24,7 @@ export const REPORT_TYPE_DEPENDENCY_SCANNING = 'dependency_scanning';
export const REPORT_TYPE_CONTAINER_SCANNING = 'container_scanning';
export const REPORT_TYPE_CLUSTER_IMAGE_SCANNING = 'cluster_image_scanning';
export const REPORT_TYPE_COVERAGE_FUZZING = 'coverage_fuzzing';
export const REPORT_TYPE_CORPUS_MANAGEMENT = 'corpus_management';
export const REPORT_TYPE_LICENSE_COMPLIANCE = 'license_scanning';
export const REPORT_TYPE_API_FUZZING = 'api_fuzzing';
......
......@@ -14,6 +14,7 @@ module EE
before_action only: [:show] do
push_frontend_feature_flag(:security_auto_fix, project, default_enabled: false)
push_frontend_feature_flag(:corpus_management, project, default_enabled: :yaml)
end
before_action only: [:auto_fix] do
......
......@@ -61,7 +61,8 @@ module Projects
scan(scan_type, configured: scanner_enabled?(scan_type))
end
# DAST On-demand scans is a static (non job) entry. Add it manually.
# These scans are "fake" (non job) entries. Add them manually.
scans << scan(:corpus_management, configured: true)
scans << scan(:dast_profiles, configured: true)
end
......@@ -93,7 +94,8 @@ module Projects
sast: project_security_configuration_sast_path(project),
dast: project_security_configuration_dast_path(project),
dast_profiles: project_security_configuration_dast_scans_path(project),
api_fuzzing: project_security_configuration_api_fuzzing_path(project)
api_fuzzing: project_security_configuration_api_fuzzing_path(project),
corpus_management: (project_security_configuration_corpus_management_path(project) if ::Feature.enabled?(:corpus_management, project, default_enabled: :yaml) && scanner_enabled?(:coverage_fuzzing))
}[type]
end
......
......@@ -62,7 +62,7 @@ RSpec.describe Projects::Security::ConfigurationController do
it 'responds in json format when requested' do
get :show, params: { namespace_id: project.namespace, project_id: project, format: :json }
types = %w(sast dast dast_profiles dependency_scanning container_scanning cluster_image_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing)
types = %w(sast dast dast_profiles dependency_scanning container_scanning cluster_image_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing corpus_management)
expect(response).to have_gitlab_http_status(:ok)
expect(json_response['features'].map { |f| f['type'] }).to match_array(types)
......@@ -188,6 +188,7 @@ RSpec.describe Projects::Security::ConfigurationController do
before do
stub_feature_flags(security_auto_fix: false)
stub_feature_flags(corpus_management: false)
request
end
......
......@@ -90,7 +90,68 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
security_scan(:secret_detection, configured: true),
security_scan(:coverage_fuzzing, configured: false),
security_scan(:api_fuzzing, configured: false),
security_scan(:dast_profiles, configured: true)
security_scan(:dast_profiles, configured: true),
security_scan(:corpus_management, configured: true)
)
end
end
context "when coverage fuzzing has run in a pipeline with feature flag off" do
before do
stub_feature_flags(corpus_management: false)
pipeline = create(
:ci_pipeline,
:auto_devops_source,
project: project,
ref: project.default_branch,
sha: project.commit.sha
)
create(:ci_build, :coverage_fuzzing, pipeline: pipeline, status: 'success')
end
it 'reports that coverage fuzzing, corpus management, and DAST are configured' do
expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
security_scan(:dast, configured: false),
security_scan(:sast, configured: false),
security_scan(:container_scanning, configured: false),
security_scan(:cluster_image_scanning, configured: false),
security_scan(:dependency_scanning, configured: false),
security_scan(:license_scanning, configured: false),
security_scan(:secret_detection, configured: false),
security_scan(:coverage_fuzzing, configured: true),
security_scan(:api_fuzzing, configured: false),
security_scan(:dast_profiles, configured: true),
security_scan(:corpus_management, configured: true)
)
end
end
context "when coverage fuzzing has run in a pipeline with feature flag on" do
before do
stub_feature_flags(corpus_management: true)
pipeline = create(
:ci_pipeline,
:auto_devops_source,
project: project,
ref: project.default_branch,
sha: project.commit.sha
)
create(:ci_build, :coverage_fuzzing, pipeline: pipeline, status: 'success')
end
it 'reports that coverage fuzzing, corpus management, and DAST are configured' do
expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
security_scan(:dast, configured: false),
security_scan(:sast, configured: false),
security_scan(:container_scanning, configured: false),
security_scan(:cluster_image_scanning, configured: false),
security_scan(:dependency_scanning, configured: false),
security_scan(:license_scanning, configured: false),
security_scan(:secret_detection, configured: false),
security_scan(:coverage_fuzzing, configured: true),
security_scan(:api_fuzzing, configured: false),
security_scan(:dast_profiles, configured: true),
security_scan(:corpus_management, configured: true, configuration_path: project_security_configuration_corpus_management_path(project))
)
end
end
......@@ -115,7 +176,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
security_scan(:secret_detection, configured: false),
security_scan(:coverage_fuzzing, configured: false),
security_scan(:api_fuzzing, configured: false),
security_scan(:dast_profiles, configured: true)
security_scan(:dast_profiles, configured: true),
security_scan(:corpus_management, configured: true)
)
end
end
......@@ -147,7 +209,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
security_scan(:license_scanning, configured: false),
security_scan(:secret_detection, configured: true),
security_scan(:coverage_fuzzing, configured: false),
security_scan(:api_fuzzing, configured: false)
security_scan(:api_fuzzing, configured: false),
security_scan(:corpus_management, configured: true)
)
end
......@@ -171,7 +234,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
security_scan(:license_scanning, configured: false),
security_scan(:secret_detection, configured: false),
security_scan(:coverage_fuzzing, configured: false),
security_scan(:api_fuzzing, configured: false)
security_scan(:api_fuzzing, configured: false),
security_scan(:corpus_management, configured: true)
)
end
......@@ -188,7 +252,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
security_scan(:license_scanning, configured: true),
security_scan(:secret_detection, configured: true),
security_scan(:coverage_fuzzing, configured: false),
security_scan(:api_fuzzing, configured: false)
security_scan(:api_fuzzing, configured: false),
security_scan(:corpus_management, configured: true)
)
end
......@@ -241,13 +306,13 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
end
end
def security_scan(type, configured:)
configuration_path = configuration_path(type)
def security_scan(type, configured:, configuration_path: nil)
path = configuration_path || configuration_path(type)
{
"type" => type.to_s,
"configured" => configured,
"configuration_path" => configuration_path,
"configuration_path" => path,
"available" => licensed_scan_types.include?(type)
}
end
......@@ -257,7 +322,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
dast: project_security_configuration_dast_path(project),
dast_profiles: project_security_configuration_dast_scans_path(project),
sast: project_security_configuration_sast_path(project),
api_fuzzing: project_security_configuration_api_fuzzing_path(project)
api_fuzzing: project_security_configuration_api_fuzzing_path(project),
corpus_management: nil
}[type]
end
......
......@@ -9240,6 +9240,9 @@ msgstr ""
msgid "Copy value"
msgstr ""
msgid "Corpus Management"
msgstr ""
msgid "Corpus Management|Are you sure you want to delete the corpus?"
msgstr ""
......@@ -29782,6 +29785,12 @@ msgstr ""
msgid "SecurityConfiguration|Immediately begin risk analysis and remediation with application security features. Start with SAST and Secret Detection, available to all plans. Upgrade to Ultimate to get all features, including:"
msgstr ""
msgid "SecurityConfiguration|Manage corpus"
msgstr ""
msgid "SecurityConfiguration|Manage corpus files used as mutation sources in coverage fuzzing."
msgstr ""
msgid "SecurityConfiguration|Manage profiles for use by DAST scans."
msgstr ""
......
......@@ -534,6 +534,14 @@ FactoryBot.define do
end
end
trait :coverage_fuzzing do
options do
{
artifacts: { reports: { coverage_fuzzing: 'gl-coverage-fuzzing-report.json' } }
}
end
end
trait :license_scanning do
options do
{
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment