Merge branch '201813-vulnerability-view-doesn-t-show-file-location' into 'master'

Resolve "Vulnerability view doesn't show file location" See merge request gitlab-org/gitlab!25383

Merge branch '201813-vulnerability-view-doesn-t-show-file-location' into 'master'
Resolve "Vulnerability view doesn't show file location" See merge request gitlab-org/gitlab!25383
27288726 · Dmytro Zaporozhets · 23795036 · 8b7d819a · 27288726 · 27288726
Commit 27288726 authored Apr 09, 2020 by Dmytro Zaporozhets
5 changed files
--- a/ee/app/helpers/vulnerabilities_helper.rb
+++ b/ee/app/helpers/vulnerabilities_helper.rb
@@ -41,4 +41,15 @@ module VulnerabilitiesHelper
      solution: remediation ? remediation['summary'] : occurrence[:solution]
    )
  end
+
+  def vulnerability_file_link(vulnerability)
+    finding = vulnerability.finding
+    location = finding.location
+    branch = finding.pipelines&.last&.sha || vulnerability.project.default_branch
+    link_text = "#{location['file']}:#{location['start_line']}"
+    offset = location['start_line'] ? "#L#{location['start_line']}" : ''
+    link_path = project_blob_path(vulnerability.project, tree_join(branch, location['file'])) + offset
+
+    link_to link_text, link_path, target: '_blank', rel: 'noopener noreferrer'
+  end
 end
--- a/ee/app/views/projects/security/vulnerabilities/show.html.haml
+++ b/ee/app/views/projects/security/vulnerabilities/show.html.haml
@@ -3,6 +3,8 @@
 - breadcrumb_title @vulnerability.id
 - page_title @vulnerability.title
 - page_description @vulnerability.description
+- finding = @vulnerability.finding
+- location = finding.location

 #js-vulnerability-management-app{ data: vulnerability_data(@vulnerability, @pipeline) }

@@ -12,30 +14,43 @@
    .description
      .md
        %h3= "Description"
-        %p= @vulnerability.finding.description
+        %p= finding.description
        %ul
          %li= _("Severity: %{severity}") % { severity: @vulnerability.severity }
          %li= _("Confidence: %{confidence}") % { confidence: @vulnerability.confidence }
          %li= _("Report Type: %{report_type}") % { report_type: @vulnerability.report_type }

-          - if @vulnerability.finding.location["image"]
-            %li= _("Image: %{image}") % { image: @vulnerability.finding.location['image'] }
+          - if location['image']
+            %li= _("Image: %{image}") % { image: location['image'] }

-          - if @vulnerability.finding.location["operating_system"]
-            %li= _("Namespace: %{namespace}") % { namespace: @vulnerability.finding.location['operating_system'] }
+          - if location['operating_system']
+            %li= _("Namespace: %{namespace}") % { namespace: location['operating_system'] }

-        - if @vulnerability.finding.links.any?
-          %h3= _("Links")
+        - if location['file']
+          %h3= _('Location')
          %ul
-            - @vulnerability.finding.links.each do |link|
            %li
-                %a{ :href=>link["url"], target: "_blank", rel: 'noopener noreferrer' }= link["url"]
+              = _('File:')
+              = vulnerability_file_link(@vulnerability)
+            - if location['class']
+              %li
+                = _('Class:')
+                = location['class']
+            - if location['method']
+              %li
+                = _('Method:')
+                %code= location['method']

-        - if @vulnerability.finding.identifiers.any?
-          %h3= _("Identifiers")
+        - if finding.links.any?
+          %h3= _('Links')
          %ul
-            - @vulnerability.finding.identifiers.each do |identifier|
-              %li
-                %a{ :href=>identifier.url, target: "_blank", rel: 'noopener noreferrer' }= identifier.name
+            - finding.links.each do |link|
+              %li= link_to link['url'], target: '_blank', rel: 'noopener noreferrer'
+
+        - if finding.identifiers.any?
+          %h3= _('Identifiers')
+          %ul
+            - finding.identifiers.each do |identifier|
+              %li= link_to identifier.name, identifier.url, target: '_blank', rel: 'noopener noreferrer'

 #js-vulnerability-footer{ data: vulnerability_data(@vulnerability, @pipeline) }
--- a/ee/spec/controllers/projects/security/vulnerabilities_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/vulnerabilities_controller_spec.rb
@@ -77,6 +77,12 @@ describe Projects::Security::VulnerabilitiesController do
        expect(response.body).to have_text(vulnerability.title)
      end

+      it 'renders the file location' do
+        show_vulnerability
+
+        expect(response.body).to have_text(vulnerability.finding.location['file'])
+      end
+
      it 'renders the solution card' do
        show_vulnerability


--- a/ee/spec/helpers/vulnerabilities_helper_spec.rb
+++ b/ee/spec/helpers/vulnerabilities_helper_spec.rb
@@ -108,4 +108,41 @@ describe VulnerabilitiesHelper do
      )
    end
  end
+
+  describe '#vulnerability_file_link' do
+    let(:project) { create(:project, :repository, :public) }
+    let(:pipeline) { create(:ci_pipeline, :success, project: project) }
+    let(:finding) { create(:vulnerabilities_occurrence, pipelines: [pipeline], project: project, severity: :high) }
+    let(:vulnerability) { create(:vulnerability, findings: [finding], project: project) }
+
+    subject { helper.vulnerability_file_link(vulnerability) }
+
+    it 'returns a link to the vulnerability file location' do
+      expect(subject).to include(
+        vulnerability.finding.location['file'],
+        "#{vulnerability.finding.location['start_line']}",
+        vulnerability.finding.pipelines&.last&.sha
+      )
+    end
+
+    context 'when vulnerability is not linked to a commit' do
+      it 'uses the default branch' do
+        vulnerability.finding.pipelines = []
+        vulnerability.finding.save
+
+        expect(subject).to include(
+          vulnerability.project.default_branch
+        )
+      end
+    end
+
+    context 'when vulnerability is not on a specific line' do
+      it 'does not include a reference to the line number' do
+        vulnerability.finding.location['start_line'] = nil
+        vulnerability.finding.save
+
+        expect(subject).not_to include('#L')
+      end
+    end
+  end
 end
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -4001,6 +4001,9 @@ msgstr ""
 msgid "Class"
 msgstr ""

+msgid "Class:"
+msgstr ""
+
 msgid "Classification Label (optional)"
 msgstr ""

@@ -8999,6 +9002,9 @@ msgstr ""
 msgid "File upload error."
 msgstr ""

+msgid "File:"
+msgstr ""
+
 msgid "Files"
 msgstr ""

@@ -12173,6 +12179,9 @@ msgstr ""
 msgid "Localization"
 msgstr ""

+msgid "Location"
+msgstr ""
+
 msgid "Lock"
 msgstr ""

@@ -12752,6 +12761,9 @@ msgstr ""
 msgid "Method"
 msgstr ""

+msgid "Method:"
+msgstr ""
+
 msgid "Metric was successfully added."
 msgstr ""