Commit 24541454 authored by Kerri Miller's avatar Kerri Miller

Merge branch 'jnnkl-remove-standalone-vuln-dependency-list-feature-flag' into 'master'

Remove standalone_vuln_dependency_list Feature Flag [RUN ALL RSPEC] [RUN AS-IF-FOSS]

See merge request gitlab-org/gitlab!59124
parents 4f3cd654 18f78a35
......@@ -26,7 +26,7 @@ To view your project's dependencies, ensure you meet the following requirements:
## View a project's dependencies
![Dependency list](img/dependency_list_v12_10.png)
![Dependency list](img/dependency_list_v13_11.png)
GitLab displays dependencies with the following information:
......@@ -44,7 +44,8 @@ can also be sorted by name or by the packager that installed them.
If a dependency has known vulnerabilities, view them by clicking the arrow next to the
dependency's name or the badge that indicates how many known vulnerabilities exist. For each
vulnerability, its severity and description appears below it.
vulnerability, its severity and description appears below it. To view more details of a vulnerability,
select the vulnerability’s description. The [vulnerability's details](../vulnerabilities) page is opened.
### Dependency paths
......
......@@ -24,11 +24,6 @@ export default {
<div class="w-8em flex-shrink-0 text-right mr-3">
<severity-badge :severity="vulnerability.severity" />
</div>
<gl-link
v-if="glFeatures.standaloneVulnDependencyList && vulnerability.url"
:href="vulnerability.url"
>{{ vulnerability.name }}</gl-link
>
<span v-else data-testid="vulnerability-name-text">{{ vulnerability.name }}</span>
<gl-link :href="vulnerability.url">{{ vulnerability.name }}</gl-link>
</div>
</template>
......@@ -6,10 +6,6 @@ module Projects
before_action :authorize_read_dependency_list!
before_action do
push_frontend_feature_flag(:standalone_vuln_dependency_list, project)
end
feature_category :dependency_scanning
def index
......
---
title: Remove standalone_vuln_dependency_list Feature Flag
merge_request: 59124
author:
type: changed
---
name: standalone_vuln_dependency_list
introduced_by_url: https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/55641
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/324031
milestone: '13.10'
type: development
group: group::composition analysis
default_enabled: false
......@@ -26,24 +26,16 @@ module Gitlab
end
def parse_vulnerabilities(report_data, report)
if Feature.enabled?(:standalone_vuln_dependency_list, project)
vuln_findings = pipeline.vulnerability_findings.dependency_scanning
vuln_findings.each do |finding|
dependency = finding.location.dig("dependency")
vuln_findings = pipeline.vulnerability_findings.dependency_scanning
vuln_findings.each do |finding|
dependency = finding.location.dig("dependency")
next unless dependency
next unless dependency
file = finding.file
vulnerability = finding.metadata.merge(vulnerability_id: finding.vulnerability_id)
file = finding.file
vulnerability = finding.metadata.merge(vulnerability_id: finding.vulnerability_id)
report.add_dependency(formatter.format(dependency, '', file, vulnerability))
end
else
report_data.fetch('vulnerabilities', []).each do |vulnerability|
dependency = vulnerability.dig("location", "dependency")
file = vulnerability.dig("location", "file")
report.add_dependency(formatter.format(dependency, '', file, vulnerability))
end
report.add_dependency(formatter.format(dependency, '', file, vulnerability))
end
end
......
......@@ -81,11 +81,9 @@ module Gitlab
vuln_params = { name: vulnerabilities['message'], severity: vulnerabilities['severity'].downcase }
if Feature.enabled?(:standalone_vuln_dependency_list, project)
id = vulnerabilities[:vulnerability_id]
standalone_vuln_params = { id: id, url: vulnerability_url(id) }
vuln_params.merge!(standalone_vuln_params)
end
id = vulnerabilities[:vulnerability_id]
standalone_vuln_params = { id: id, url: vulnerability_url(id) }
vuln_params.merge!(standalone_vuln_params)
[vuln_params]
end
......
......@@ -12,10 +12,10 @@ exports[`DependencyVulnerability component given an vulnerability matches the sn
/>
</div>
<span
data-testid="vulnerability-name-text"
<gl-link-stub
href="/testgroup/testproject/-/security/vulnerabilities/1"
>
Insecure variable usage
</span>
</gl-link-stub>
</div>
`;
......@@ -47,34 +47,8 @@ describe('DependencyVulnerability component', () => {
expect(badge.props().severity).toEqual(vulnerability.severity);
});
it('renders the vulnerability name as text when standaloneVulnerabilityDependencyList Flag is off', () => {
const text = wrapper.findByTestId('vulnerability-name-text');
expect(text.isVisible()).toBe(true);
expect(text.text()).toBe('Insecure variable usage');
});
it("doesn't render link when standaloneVulnerabilityDependencyList Flag is off", () => {
const link = findLink();
expect(link.exists()).toBe(false);
});
});
describe('Feature Flag on', () => {
const vulnerability = mockDataVulnerabilities[0];
beforeEach(() => {
factory(
{
propsData: {
vulnerability,
},
},
true,
);
});
it('renders the vulnerability name as Link when standaloneVulnerabilityDependencyList Flag is on', () => {
it('renders the vulnerability name as a Link', () => {
const link = findLink();
expect(link.exists()).toBe(true);
expect(link.element.getAttribute('href')).toBe(
'/testgroup/testproject/-/security/vulnerabilities/1',
......
......@@ -49,45 +49,6 @@ RSpec.describe Gitlab::Ci::Parsers::Security::DependencyList do
end
end
context "with vulnerabilities from report" do
let(:artifact) { pipeline.job_artifacts.last }
before do
stub_feature_flags(standalone_vuln_dependency_list: false)
artifact.each_blob do |blob|
parser.parse!(blob, report)
end
end
it 'merge vulnerabilities data' do
vuln_nokogiri = report.dependencies[1][:vulnerabilities]
vuln_debug = report.dependencies[4][:vulnerabilities]
vuln_async = report.dependencies[3][:vulnerabilities]
expect(vuln_nokogiri.size).to eq(4)
expect(vuln_nokogiri[0][:name]).to eq('Vulnerabilities in libxml2 in nokogiri')
expect(vuln_nokogiri[0][:severity]).to eq('high')
expect(vuln_debug.size).to eq(1)
expect(vuln_debug[0][:name]).to eq('Regular Expression Denial of Service in debug')
expect(vuln_async.size).to eq(0)
end
context 'with dependency scanning artifact without dependency_list' do
let(:artifact) { create(:ee_ci_job_artifact, :dependency_scanning) }
before do
artifact.each_blob do |blob|
parser.parse!(blob, report)
end
end
it 'list of dependencies with vulnerabilities' do
expect(report.dependencies.size).to eq(4)
end
end
end
context 'with vulnerabilities in the database' do
let_it_be(:vulnerability) { create(:vulnerability, report_type: :dependency_scanning) }
let_it_be(:finding) { create(:vulnerabilities_finding, :with_dependency_scanning_metadata, vulnerability: vulnerability) }
......
......@@ -70,38 +70,20 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Formatters::DependencyList do
context 'with vulnerable dependency' do
let(:dependency) { parsed_report['dependency_files'][0]['dependencies'][1] }
let(:data) { formatter.format(dependency, package_manager, file_path, vulnerability_data) }
let_it_be(:standalone_vulnerability) { create(:vulnerability, report_type: :dependency_scanning) }
context 'with feature `standalone vulnerabilities` enabled' do
let_it_be(:standalone_vulnerability) { create(:vulnerability, report_type: :dependency_scanning) }
let(:vulnerability_data) do
create(:vulnerabilities_finding, :with_dependency_scanning_metadata, vulnerability: standalone_vulnerability)
end
it 'merge vulnerabilities data' do
vulnerability = data[:vulnerabilities].first
path = "/security/vulnerabilities/#{standalone_vulnerability.id}"
expect(vulnerability[:id]).to eq(standalone_vulnerability.id)
expect(vulnerability[:url]).to end_with(path)
expect(vulnerability[:name]).to eq('Vulnerabilities in libxml2 in nokogiri')
expect(vulnerability[:severity]).to eq('high')
end
let(:vulnerability_data) do
create(:vulnerabilities_finding, :with_dependency_scanning_metadata, vulnerability: standalone_vulnerability)
end
context 'with disabled feature' do
let(:vulnerability_data) { parsed_report['vulnerabilities'].first }
it 'merge vulnerabilities data' do
vulnerability = data[:vulnerabilities].first
path = "/security/vulnerabilities/#{standalone_vulnerability.id}"
before do
stub_feature_flags(standalone_vuln_dependency_list: false)
end
it 'merge vulnerabilities data' do
vulnerability = data[:vulnerabilities].first
expect(vulnerability[:name]).to eq('Vulnerabilities in libxml2 in nokogiri')
expect(vulnerability[:severity]).to eq('high')
end
expect(vulnerability[:id]).to eq(standalone_vulnerability.id)
expect(vulnerability[:url]).to end_with(path)
expect(vulnerability[:name]).to eq('Vulnerabilities in libxml2 in nokogiri')
expect(vulnerability[:severity]).to eq('high')
end
end
end
......
......@@ -374,20 +374,14 @@ RSpec.describe Ci::Build do
before do
stub_licensed_features(dependency_scanning: true)
stub_feature_flags(standalone_vuln_dependency_list: false)
end
subject { job.collect_dependency_list_reports!(dependency_list_report) }
it 'parses blobs and add the results to the report' do
subject
blob_path = "/#{project.full_path}/-/blob/#{job.sha}/sast-sample-rails/Gemfile.lock"
netty = dependency_list_report.dependencies.first
ffi = dependency_list_report.dependencies.last
expect(dependency_list_report.dependencies.count).to eq(4)
expect(netty[:name]).to eq('io.netty/netty')
expect(ffi[:location][:blob_path]).to eq(blob_path)
expect(dependency_list_report.dependencies.count).to eq(0)
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment