Merge branch 'add_scanned_resources_to_security_report_223672' into 'master'

Add scanned resources to Security::Report

See merge request gitlab-org/gitlab!35486

ee/app/services/security/merge_reports_service.rb

@@ -42,6 +42,7 @@ module Security
         copy_scanners_to_target(source)
         copy_identifiers_to_target(source)
         copy_occurrences_to_buffer(source)
+        copy_scanned_resources_to_target(source)
       end
 
       copy_occurrences_to_target
@@ -65,6 +66,10 @@ module Security
       @occurrences.concat(source.occurrences)
     end
 
+    def copy_scanned_resources_to_target(source_report)
+      @target_report.scanned_resources.concat(source_report.scanned_resources).uniq!
+    end
+
     # this method mutates the passed seen_identifiers set
     def check_or_mark_seen_identifier!(identifier, location_fingerprint, seen_identifiers)
       key = IdentifierKey.new(location_fingerprint, identifier.external_type, identifier.external_id)

ee/lib/gitlab/ci/parsers/security/common.rb

@@ -11,6 +11,8 @@ module Gitlab
             report_data = parse_report(json_data)
             raise SecurityReportParserError, "Invalid report format" unless report_data.is_a?(Hash)
 
+            report.scanned_resources = report_data.dig('scan', 'scanned_resources') || []
+
             collate_remediations(report_data).each do |vulnerability|
               create_vulnerability(report, vulnerability, report_data["version"])
             end

ee/lib/gitlab/ci/reports/security/report.rb

@@ -14,6 +14,7 @@ module Gitlab
           attr_reader :scanners
           attr_reader :identifiers
 
+          attr_accessor :scanned_resources
           attr_accessor :error
 
           def initialize(type, commit_sha, created_at)
@@ -23,6 +24,7 @@ module Gitlab
             @occurrences = []
             @scanners = {}
             @identifiers = {}
+            @scanned_resources = []
           end
 
           def errored?

ee/spec/factories/ci/reports/security/reports.rb

@@ -5,6 +5,7 @@ FactoryBot.define do
     type { :sast }
     commit_sha { Digest::SHA1.hexdigest(SecureRandom.hex) }
     created_at { 2.weeks.ago }
+    scanned_resources { [] }
 
     transient do
       occurrences { [] }

ee/spec/lib/gitlab/ci/parsers/security/dast_spec.rb

@@ -16,15 +16,16 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Dast do
           :occurrence_count,
           :identifier_count,
           :scanner_count,
+          :scanned_resources_count,
           :last_occurrence_hostname,
           :last_occurrence_method_name,
           :last_occurrence_path,
           :last_occurrence_severity,
           :last_occurrence_confidence) do
-      :dast                             | 24 | 15 | 1 | 'http://goat:8080' | 'GET' | '/WebGoat/plugins/bootstrap/css/bootstrap.min.css' | 'info' | 'low'
-      :dast_multiple_sites              | 25 | 15 | 1 | 'http://goat:8080' | 'GET' | '/WebGoat/plugins/bootstrap/css/bootstrap.min.css' | 'info' | 'low'
-      :dast_deprecated_no_spider        | 2  | 3  | 1 | 'http://bikebilly-spring-auto-devops-review-feature-br-3y2gpb.35.192.176.43.xip.io' | 'GET' | '/' | 'low' | 'medium'
-      :dast_deprecated_no_common_fields | 24 | 15 | 1 | 'http://goat:8080' | 'GET' | '/WebGoat/plugins/bootstrap/css/bootstrap.min.css' | 'info' | 'low'
+      :dast                             | 24 | 15 | 1 | 6 | 'http://goat:8080' | 'GET' | '/WebGoat/plugins/bootstrap/css/bootstrap.min.css' | 'info' | 'low'
+      :dast_multiple_sites              | 25 | 15 | 1 | 0 | 'http://goat:8080' | 'GET' | '/WebGoat/plugins/bootstrap/css/bootstrap.min.css' | 'info' | 'low'
+      :dast_deprecated_no_spider        | 2  | 3  | 1 | 0 | 'http://bikebilly-spring-auto-devops-review-feature-br-3y2gpb.35.192.176.43.xip.io' | 'GET' | '/' | 'low' | 'medium'
+      :dast_deprecated_no_common_fields | 24 | 15 | 1 | 0 | 'http://goat:8080' | 'GET' | '/WebGoat/plugins/bootstrap/css/bootstrap.min.css' | 'info' | 'low'
     end
 
     with_them do
@@ -36,10 +37,11 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Dast do
         end
       end
 
-      it 'parses all identifiers and occurrences' do
+      it 'parses all identifiers, occurrences and scanned resources' do
         expect(report.occurrences.length).to eq(occurrence_count)
         expect(report.identifiers.length).to eq(identifier_count)
         expect(report.scanners.length).to eq(scanner_count)
+        expect(report.scanned_resources.length).to eq(scanned_resources_count)
       end
 
       it 'generates expected location' do

ee/spec/services/security/merge_reports_service_spec.rb

@@ -87,7 +87,8 @@ RSpec.describe Security::MergeReportsService, '#execute' do
       :ci_reports_security_report,
       scanners: [scanner_1, scanner_2],
       occurrences: report_1_occurrences,
-      identifiers: report_1_occurrences.flat_map(&:identifiers)
+      identifiers: report_1_occurrences.flat_map(&:identifiers),
+      scanned_resources: ['example.com', 'example.com/1', 'example.com/2']
     )
   end
 
@@ -98,7 +99,8 @@ RSpec.describe Security::MergeReportsService, '#execute' do
       :ci_reports_security_report,
       scanners: [scanner_2],
       occurrences: report_2_occurrences,
-      identifiers: occurrence_id_2_loc_2.identifiers
+      identifiers: occurrence_id_2_loc_2.identifiers,
+      scanned_resources: ['example.com', 'example.com/3']
     )
   end
 
@@ -148,6 +150,17 @@ RSpec.describe Security::MergeReportsService, '#execute' do
     )
   end
 
+  it 'deduplicates scanned resources' do
+    expect(subject.scanned_resources).to(
+      eq([
+        'example.com',
+        'example.com/1',
+        'example.com/2',
+        'example.com/3'
+      ])
+    )
+  end
+
   context 'ordering reports for dependency scanning analyzers' do
     let(:gemnasium_scanner) { build(:ci_reports_security_scanner, external_id: 'gemnasium', name: 'gemnasium') }
     let(:retire_js_scaner) { build(:ci_reports_security_scanner, external_id: 'retire.js', name: 'Retire.js') }