Merge branch 'jnnkl-remove-standalone-vuln-dependency-list-feature-flag' into 'master'

Remove standalone_vuln_dependency_list Feature Flag [RUN ALL RSPEC] [RUN AS-IF-FOSS]

See merge request gitlab-org/gitlab!59124

doc/user/application_security/dependency_list/index.md

@@ -26,7 +26,7 @@ To view your project's dependencies, ensure you meet the following requirements:
 
 ## View a project's dependencies
 
-![Dependency list](img/dependency_list_v12_10.png)
+![Dependency list](img/dependency_list_v13_11.png)
 
 GitLab displays dependencies with the following information:
 
@@ -44,7 +44,8 @@ can also be sorted by name or by the packager that installed them.
 
 If a dependency has known vulnerabilities, view them by clicking the arrow next to the
 dependency's name or the badge that indicates how many known vulnerabilities exist. For each
-vulnerability, its severity and description appears below it.
+vulnerability, its severity and description appears below it. To view more details of a vulnerability,
+select the vulnerability’s description. The [vulnerability's details](../vulnerabilities) page is opened.
 
 ### Dependency paths
 

ee/app/assets/javascripts/dependencies/components/dependency_vulnerability.vue

@@ -24,11 +24,6 @@ export default {
     <div class="w-8em flex-shrink-0 text-right mr-3">
       <severity-badge :severity="vulnerability.severity" />
     </div>
-    <gl-link
-      v-if="glFeatures.standaloneVulnDependencyList && vulnerability.url"
-      :href="vulnerability.url"
-      >{{ vulnerability.name }}</gl-link
-    >
-    <span v-else data-testid="vulnerability-name-text">{{ vulnerability.name }}</span>
+    <gl-link :href="vulnerability.url">{{ vulnerability.name }}</gl-link>
   </div>
 </template>

ee/app/controllers/projects/dependencies_controller.rb

@@ -6,10 +6,6 @@ module Projects
 
     before_action :authorize_read_dependency_list!
 
-    before_action do
-      push_frontend_feature_flag(:standalone_vuln_dependency_list, project)
-    end
-
     feature_category :dependency_scanning
 
     def index

ee/changelogs/unreleased/jnnkl-remove-standalone-vuln-dependency-list-feature-flag.yml

+---
+title: Remove standalone_vuln_dependency_list Feature Flag
+merge_request: 59124
+author:
+type: changed

ee/config/feature_flags/development/standalone_vuln_dependency_list.yml

----
-name: standalone_vuln_dependency_list
-introduced_by_url: https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/55641
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/324031
-milestone: '13.10'
-type: development
-group: group::composition analysis
-default_enabled: false

ee/lib/gitlab/ci/parsers/security/dependency_list.rb

@@ -26,24 +26,16 @@ module Gitlab
           end
 
           def parse_vulnerabilities(report_data, report)
-            if Feature.enabled?(:standalone_vuln_dependency_list, project)
-              vuln_findings = pipeline.vulnerability_findings.dependency_scanning
-              vuln_findings.each do |finding|
-                dependency = finding.location.dig("dependency")
+            vuln_findings = pipeline.vulnerability_findings.dependency_scanning
+            vuln_findings.each do |finding|
+              dependency = finding.location.dig("dependency")
 
-                next unless dependency
+              next unless dependency
 
-                file = finding.file
-                vulnerability = finding.metadata.merge(vulnerability_id: finding.vulnerability_id)
+              file = finding.file
+              vulnerability = finding.metadata.merge(vulnerability_id: finding.vulnerability_id)
 
-                report.add_dependency(formatter.format(dependency, '', file, vulnerability))
-              end
-            else
-              report_data.fetch('vulnerabilities', []).each do |vulnerability|
-                dependency = vulnerability.dig("location", "dependency")
-                file = vulnerability.dig("location", "file")
-                report.add_dependency(formatter.format(dependency, '', file, vulnerability))
-              end
+              report.add_dependency(formatter.format(dependency, '', file, vulnerability))
             end
           end
 

ee/lib/gitlab/ci/parsers/security/formatters/dependency_list.rb

@@ -81,11 +81,9 @@ module Gitlab
 
               vuln_params = { name: vulnerabilities['message'], severity: vulnerabilities['severity'].downcase }
 
-              if Feature.enabled?(:standalone_vuln_dependency_list, project)
-                id = vulnerabilities[:vulnerability_id]
-                standalone_vuln_params = { id: id, url: vulnerability_url(id) }
-                vuln_params.merge!(standalone_vuln_params)
-              end
+              id = vulnerabilities[:vulnerability_id]
+              standalone_vuln_params = { id: id, url: vulnerability_url(id) }
+              vuln_params.merge!(standalone_vuln_params)
 
               [vuln_params]
             end

ee/spec/frontend/dependencies/components/__snapshots__/dependency_vulnerability_spec.js.snap

@@ -12,10 +12,10 @@ exports[`DependencyVulnerability component given an vulnerability matches the sn
     />
   </div>
    
-  <span
-    data-testid="vulnerability-name-text"
+  <gl-link-stub
+    href="/testgroup/testproject/-/security/vulnerabilities/1"
   >
     Insecure variable usage
-  </span>
+  </gl-link-stub>
 </div>
 `;

ee/spec/frontend/dependencies/components/dependency_vulnerability_spec.js

@@ -47,34 +47,8 @@ describe('DependencyVulnerability component', () => {
       expect(badge.props().severity).toEqual(vulnerability.severity);
     });
 
-    it('renders the vulnerability name as text when standaloneVulnerabilityDependencyList Flag is off', () => {
-      const text = wrapper.findByTestId('vulnerability-name-text');
-      expect(text.isVisible()).toBe(true);
-      expect(text.text()).toBe('Insecure variable usage');
-    });
-
-    it("doesn't render link when standaloneVulnerabilityDependencyList Flag is off", () => {
-      const link = findLink();
-      expect(link.exists()).toBe(false);
-    });
-  });
-
-  describe('Feature Flag on', () => {
-    const vulnerability = mockDataVulnerabilities[0];
-    beforeEach(() => {
-      factory(
-        {
-          propsData: {
-            vulnerability,
-          },
-        },
-        true,
-      );
-    });
-
-    it('renders the vulnerability name as Link when standaloneVulnerabilityDependencyList Flag is on', () => {
+    it('renders the vulnerability name as a Link', () => {
       const link = findLink();
-
       expect(link.exists()).toBe(true);
       expect(link.element.getAttribute('href')).toBe(
         '/testgroup/testproject/-/security/vulnerabilities/1',

ee/spec/lib/gitlab/ci/parsers/security/dependency_list_spec.rb

@@ -49,45 +49,6 @@ RSpec.describe Gitlab::Ci::Parsers::Security::DependencyList do
       end
     end
 
-    context "with vulnerabilities from report" do
-      let(:artifact) { pipeline.job_artifacts.last }
-
-      before do
-        stub_feature_flags(standalone_vuln_dependency_list: false)
-
-        artifact.each_blob do |blob|
-          parser.parse!(blob, report)
-        end
-      end
-
-      it 'merge vulnerabilities data' do
-        vuln_nokogiri = report.dependencies[1][:vulnerabilities]
-        vuln_debug = report.dependencies[4][:vulnerabilities]
-        vuln_async = report.dependencies[3][:vulnerabilities]
-
-        expect(vuln_nokogiri.size).to eq(4)
-        expect(vuln_nokogiri[0][:name]).to eq('Vulnerabilities in libxml2 in nokogiri')
-        expect(vuln_nokogiri[0][:severity]).to eq('high')
-        expect(vuln_debug.size).to eq(1)
-        expect(vuln_debug[0][:name]).to eq('Regular Expression Denial of Service in debug')
-        expect(vuln_async.size).to eq(0)
-      end
-
-      context 'with dependency scanning artifact without dependency_list' do
-        let(:artifact) { create(:ee_ci_job_artifact, :dependency_scanning) }
-
-        before do
-          artifact.each_blob do |blob|
-            parser.parse!(blob, report)
-          end
-        end
-
-        it 'list of dependencies with vulnerabilities' do
-          expect(report.dependencies.size).to eq(4)
-        end
-      end
-    end
-
     context 'with vulnerabilities in the database' do
       let_it_be(:vulnerability) { create(:vulnerability, report_type: :dependency_scanning) }
       let_it_be(:finding) { create(:vulnerabilities_finding, :with_dependency_scanning_metadata, vulnerability: vulnerability) }

ee/spec/lib/gitlab/ci/parsers/security/formatters/dependency_list_spec.rb

@@ -70,38 +70,20 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Formatters::DependencyList do
     context 'with vulnerable dependency' do
       let(:dependency) { parsed_report['dependency_files'][0]['dependencies'][1] }
       let(:data) { formatter.format(dependency, package_manager, file_path, vulnerability_data) }
+      let_it_be(:standalone_vulnerability) { create(:vulnerability, report_type: :dependency_scanning) }
 
-      context 'with feature `standalone vulnerabilities` enabled' do
-        let_it_be(:standalone_vulnerability) { create(:vulnerability, report_type: :dependency_scanning) }
-
-        let(:vulnerability_data) do
-          create(:vulnerabilities_finding, :with_dependency_scanning_metadata, vulnerability: standalone_vulnerability)
-        end
-
-        it 'merge vulnerabilities data' do
-          vulnerability = data[:vulnerabilities].first
-          path = "/security/vulnerabilities/#{standalone_vulnerability.id}"
-
-          expect(vulnerability[:id]).to eq(standalone_vulnerability.id)
-          expect(vulnerability[:url]).to end_with(path)
-          expect(vulnerability[:name]).to eq('Vulnerabilities in libxml2 in nokogiri')
-          expect(vulnerability[:severity]).to eq('high')
-        end
+      let(:vulnerability_data) do
+        create(:vulnerabilities_finding, :with_dependency_scanning_metadata, vulnerability: standalone_vulnerability)
       end
 
-      context 'with disabled feature' do
-        let(:vulnerability_data) { parsed_report['vulnerabilities'].first }
+      it 'merge vulnerabilities data' do
+        vulnerability = data[:vulnerabilities].first
+        path = "/security/vulnerabilities/#{standalone_vulnerability.id}"
 
-        before do
-          stub_feature_flags(standalone_vuln_dependency_list: false)
-        end
-
-        it 'merge vulnerabilities data' do
-          vulnerability = data[:vulnerabilities].first
-
-          expect(vulnerability[:name]).to eq('Vulnerabilities in libxml2 in nokogiri')
-          expect(vulnerability[:severity]).to eq('high')
-        end
+        expect(vulnerability[:id]).to eq(standalone_vulnerability.id)
+        expect(vulnerability[:url]).to end_with(path)
+        expect(vulnerability[:name]).to eq('Vulnerabilities in libxml2 in nokogiri')
+        expect(vulnerability[:severity]).to eq('high')
       end
     end
   end

ee/spec/models/ci/build_spec.rb

@@ -374,20 +374,14 @@ RSpec.describe Ci::Build do
 
       before do
         stub_licensed_features(dependency_scanning: true)
-        stub_feature_flags(standalone_vuln_dependency_list: false)
       end
 
       subject { job.collect_dependency_list_reports!(dependency_list_report) }
 
       it 'parses blobs and add the results to the report' do
         subject
-        blob_path = "/#{project.full_path}/-/blob/#{job.sha}/sast-sample-rails/Gemfile.lock"
-        netty = dependency_list_report.dependencies.first
-        ffi = dependency_list_report.dependencies.last
 
-        expect(dependency_list_report.dependencies.count).to eq(4)
-        expect(netty[:name]).to eq('io.netty/netty')
-        expect(ffi[:location][:blob_path]).to eq(blob_path)
+        expect(dependency_list_report.dependencies.count).to eq(0)
       end
     end