Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
5fe4b7d0
Commit
5fe4b7d0
authored
Dec 17, 2019
by
Cameron Swords
Committed by
Thong Kuah
Dec 17, 2019
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Parsers have access to JobArtifacts
The JobArtifact is required to retrieve the creation date
parent
d9d063b9
Changes
27
Show whitespace changes
Inline
Side-by-side
Showing
27 changed files
with
342 additions
and
184 deletions
+342
-184
app/models/ci/build.rb
app/models/ci/build.rb
+1
-1
ee/app/finders/security/pipeline_vulnerabilities_finder.rb
ee/app/finders/security/pipeline_vulnerabilities_finder.rb
+4
-8
ee/app/models/ee/ci/build.rb
ee/app/models/ee/ci/build.rb
+4
-4
ee/app/serializers/vulnerabilities/occurrence_reports_comparer_entity.rb
...ers/vulnerabilities/occurrence_reports_comparer_entity.rb
+3
-0
ee/app/services/security/merge_reports_service.rb
ee/app/services/security/merge_reports_service.rb
+2
-1
ee/lib/api/vulnerability_findings.rb
ee/lib/api/vulnerability_findings.rb
+2
-1
ee/lib/gitlab/ci/parsers/security/concerns/deprecated_syntax.rb
.../gitlab/ci/parsers/security/concerns/deprecated_syntax.rb
+0
-1
ee/lib/gitlab/ci/reports/security/aggregated_report.rb
ee/lib/gitlab/ci/reports/security/aggregated_report.rb
+24
-0
ee/lib/gitlab/ci/reports/security/report.rb
ee/lib/gitlab/ci/reports/security/report.rb
+4
-2
ee/lib/gitlab/ci/reports/security/reports.rb
ee/lib/gitlab/ci/reports/security/reports.rb
+2
-2
ee/lib/gitlab/ci/reports/security/vulnerability_reports_comparer.rb
...lab/ci/reports/security/vulnerability_reports_comparer.rb
+21
-5
ee/spec/factories/ci/reports/security/aggregated_reports.rb
ee/spec/factories/ci/reports/security/aggregated_reports.rb
+12
-0
ee/spec/factories/ci/reports/security/reports.rb
ee/spec/factories/ci/reports/security/reports.rb
+2
-1
ee/spec/finders/security/pipeline_vulnerabilities_finder_spec.rb
.../finders/security/pipeline_vulnerabilities_finder_spec.rb
+54
-51
ee/spec/lib/gitlab/ci/parsers/security/container_scanning_spec.rb
...lib/gitlab/ci/parsers/security/container_scanning_spec.rb
+1
-1
ee/spec/lib/gitlab/ci/parsers/security/dast_spec.rb
ee/spec/lib/gitlab/ci/parsers/security/dast_spec.rb
+1
-1
ee/spec/lib/gitlab/ci/parsers/security/dependency_scanning_spec.rb
...ib/gitlab/ci/parsers/security/dependency_scanning_spec.rb
+1
-1
ee/spec/lib/gitlab/ci/parsers/security/sast_spec.rb
ee/spec/lib/gitlab/ci/parsers/security/sast_spec.rb
+3
-2
ee/spec/lib/gitlab/ci/reports/security/aggregated_report_spec.rb
.../lib/gitlab/ci/reports/security/aggregated_report_spec.rb
+45
-0
ee/spec/lib/gitlab/ci/reports/security/report_spec.rb
ee/spec/lib/gitlab/ci/reports/security/report_spec.rb
+5
-3
ee/spec/lib/gitlab/ci/reports/security/reports_spec.rb
ee/spec/lib/gitlab/ci/reports/security/reports_spec.rb
+8
-6
ee/spec/lib/gitlab/ci/reports/security/vulnerability_reports_comparer_spec.rb
...i/reports/security/vulnerability_reports_comparer_spec.rb
+87
-54
ee/spec/models/ci/build_spec.rb
ee/spec/models/ci/build_spec.rb
+22
-20
ee/spec/models/ci/pipeline_spec.rb
ee/spec/models/ci/pipeline_spec.rb
+12
-12
ee/spec/serializers/vulnerabilities/occurrence_reports_comparer_entity_spec.rb
...ulnerabilities/occurrence_reports_comparer_entity_spec.rb
+16
-3
ee/spec/services/security/store_report_service_spec.rb
ee/spec/services/security/store_report_service_spec.rb
+2
-2
ee/spec/services/security/store_reports_service_spec.rb
ee/spec/services/security/store_reports_service_spec.rb
+4
-2
No files found.
app/models/ci/build.rb
View file @
5fe4b7d0
...
@@ -887,7 +887,7 @@ module Ci
...
@@ -887,7 +887,7 @@ module Ci
def
each_report
(
report_types
)
def
each_report
(
report_types
)
job_artifacts_for_types
(
report_types
).
each
do
|
report_artifact
|
job_artifacts_for_types
(
report_types
).
each
do
|
report_artifact
|
report_artifact
.
each_blob
do
|
blob
|
report_artifact
.
each_blob
do
|
blob
|
yield
report_artifact
.
file_type
,
blob
yield
report_artifact
.
file_type
,
blob
,
report_artifact
end
end
end
end
end
end
...
...
ee/app/finders/security/pipeline_vulnerabilities_finder.rb
View file @
5fe4b7d0
...
@@ -24,13 +24,9 @@ module Security
...
@@ -24,13 +24,9 @@ module Security
end
end
def
execute
def
execute
reports
=
pipeline_reports
requested_reports
=
pipeline_reports
.
select
{
|
report_type
|
requested_type?
(
report_type
)
}
return
[]
if
reports
.
nil?
occurrences
=
reports
.
each_with_object
([])
do
|
(
type
,
report
),
occurrences
|
next
unless
requested_type?
(
type
)
occurrences
=
requested_reports
.
each_with_object
([])
do
|
(
type
,
report
),
occurrences
|
raise
ParseError
,
'JSON parsing failed'
if
report
.
error
.
is_a?
(
Gitlab
::
Ci
::
Parsers
::
Security
::
Common
::
SecurityReportParserError
)
raise
ParseError
,
'JSON parsing failed'
if
report
.
error
.
is_a?
(
Gitlab
::
Ci
::
Parsers
::
Security
::
Common
::
SecurityReportParserError
)
normalized_occurrences
=
normalize_report_occurrences
(
normalized_occurrences
=
normalize_report_occurrences
(
...
@@ -41,7 +37,7 @@ module Security
...
@@ -41,7 +37,7 @@ module Security
occurrences
.
concat
(
filtered_occurrences
)
occurrences
.
concat
(
filtered_occurrences
)
end
end
sort_occurrences
(
occurrences
)
Gitlab
::
Ci
::
Reports
::
Security
::
AggregatedReport
.
new
(
requested_reports
.
values
,
sort_occurrences
(
occurrences
)
)
end
end
private
private
...
@@ -63,7 +59,7 @@ module Security
...
@@ -63,7 +59,7 @@ module Security
end
end
def
pipeline_reports
def
pipeline_reports
pipeline
&
.
security_reports
&
.
reports
pipeline
&
.
security_reports
&
.
reports
||
{}
end
end
def
vulnerabilities_by_finding_fingerprint
(
report_type
,
report
)
def
vulnerabilities_by_finding_fingerprint
(
report_type
,
report
)
...
...
ee/app/models/ee/ci/build.rb
View file @
5fe4b7d0
...
@@ -48,8 +48,8 @@ module EE
...
@@ -48,8 +48,8 @@ module EE
end
end
def
collect_security_reports!
(
security_reports
)
def
collect_security_reports!
(
security_reports
)
each_report
(
::
Ci
::
JobArtifact
::
SECURITY_REPORT_FILE_TYPES
)
do
|
file_type
,
blob
|
each_report
(
::
Ci
::
JobArtifact
::
SECURITY_REPORT_FILE_TYPES
)
do
|
file_type
,
blob
,
report_artifact
|
security_reports
.
get_report
(
file_type
).
tap
do
|
security_report
|
security_reports
.
get_report
(
file_type
,
report_artifact
).
tap
do
|
security_report
|
next
unless
project
.
feature_available?
(
LICENSED_PARSER_FEATURES
.
fetch
(
file_type
))
next
unless
project
.
feature_available?
(
LICENSED_PARSER_FEATURES
.
fetch
(
file_type
))
parse_security_artifact_blob
(
security_report
,
blob
)
parse_security_artifact_blob
(
security_report
,
blob
)
...
@@ -75,7 +75,7 @@ module EE
...
@@ -75,7 +75,7 @@ module EE
if
project
.
feature_available?
(
:dependency_scanning
)
if
project
.
feature_available?
(
:dependency_scanning
)
dependency_list
=
::
Gitlab
::
Ci
::
Parsers
::
Security
::
DependencyList
.
new
(
project
,
sha
)
dependency_list
=
::
Gitlab
::
Ci
::
Parsers
::
Security
::
DependencyList
.
new
(
project
,
sha
)
each_report
(
::
Ci
::
JobArtifact
::
DEPENDENCY_LIST_REPORT_FILE_TYPES
)
do
|
file_type
,
blob
|
each_report
(
::
Ci
::
JobArtifact
::
DEPENDENCY_LIST_REPORT_FILE_TYPES
)
do
|
_
,
blob
|
dependency_list
.
parse!
(
blob
,
dependency_list_report
)
dependency_list
.
parse!
(
blob
,
dependency_list_report
)
end
end
end
end
...
@@ -87,7 +87,7 @@ module EE
...
@@ -87,7 +87,7 @@ module EE
if
project
.
feature_available?
(
:dependency_scanning
)
if
project
.
feature_available?
(
:dependency_scanning
)
dependency_list
=
::
Gitlab
::
Ci
::
Parsers
::
Security
::
DependencyList
.
new
(
project
,
sha
)
dependency_list
=
::
Gitlab
::
Ci
::
Parsers
::
Security
::
DependencyList
.
new
(
project
,
sha
)
each_report
(
::
Ci
::
JobArtifact
::
LICENSE_MANAGEMENT_REPORT_FILE_TYPES
)
do
|
file_type
,
blob
|
each_report
(
::
Ci
::
JobArtifact
::
LICENSE_MANAGEMENT_REPORT_FILE_TYPES
)
do
|
_
,
blob
|
dependency_list
.
parse_licenses!
(
blob
,
dependency_list_report
)
dependency_list
.
parse_licenses!
(
blob
,
dependency_list_report
)
end
end
end
end
...
...
ee/app/serializers/vulnerabilities/occurence_reports_comparer_entity.rb
→
ee/app/serializers/vulnerabilities/occur
r
ence_reports_comparer_entity.rb
View file @
5fe4b7d0
# frozen_string_literal: true
# frozen_string_literal: true
class
Vulnerabilities::OccurrenceReportsComparerEntity
<
Grape
::
Entity
class
Vulnerabilities::OccurrenceReportsComparerEntity
<
Grape
::
Entity
expose
:base_report_created_at
expose
:base_report_out_of_date
expose
:head_report_created_at
expose
:added
,
using:
Vulnerabilities
::
OccurrenceEntity
expose
:added
,
using:
Vulnerabilities
::
OccurrenceEntity
expose
:fixed
,
using:
Vulnerabilities
::
OccurrenceEntity
expose
:fixed
,
using:
Vulnerabilities
::
OccurrenceEntity
expose
:existing
,
using:
Vulnerabilities
::
OccurrenceEntity
expose
:existing
,
using:
Vulnerabilities
::
OccurrenceEntity
...
...
ee/app/services/security/merge_reports_service.rb
View file @
5fe4b7d0
...
@@ -20,7 +20,8 @@ module Security
...
@@ -20,7 +20,8 @@ module Security
@source_reports
=
source_reports
@source_reports
=
source_reports
@target_report
=
::
Gitlab
::
Ci
::
Reports
::
Security
::
Report
.
new
(
@target_report
=
::
Gitlab
::
Ci
::
Reports
::
Security
::
Report
.
new
(
@source_reports
.
first
.
type
,
@source_reports
.
first
.
type
,
@source_reports
.
first
.
commit_sha
@source_reports
.
first
.
commit_sha
,
@source_reports
.
first
.
created_at
)
)
@occurrences
=
[]
@occurrences
=
[]
end
end
...
...
ee/lib/api/vulnerability_findings.rb
View file @
5fe4b7d0
...
@@ -14,7 +14,8 @@ module API
...
@@ -14,7 +14,8 @@ module API
return
[]
unless
pipeline
return
[]
unless
pipeline
Security
::
PipelineVulnerabilitiesFinder
.
new
(
pipeline:
pipeline
,
params:
params
).
execute
aggregated_report
=
Security
::
PipelineVulnerabilitiesFinder
.
new
(
pipeline:
pipeline
,
params:
params
).
execute
aggregated_report
.
occurrences
end
end
end
end
...
...
ee/lib/gitlab/ci/parsers/security/concerns/deprecated_syntax.rb
View file @
5fe4b7d0
...
@@ -18,7 +18,6 @@ module Gitlab
...
@@ -18,7 +18,6 @@ module Gitlab
report
=
super
report
=
super
if
report
.
is_a?
(
Array
)
if
report
.
is_a?
(
Array
)
puts
self
.
class
report
=
{
report
=
{
"version"
=>
self
.
class
::
DEPRECATED_REPORT_VERSION
,
"version"
=>
self
.
class
::
DEPRECATED_REPORT_VERSION
,
"vulnerabilities"
=>
report
"vulnerabilities"
=>
report
...
...
ee/lib/gitlab/ci/reports/security/aggregated_report.rb
0 → 100644
View file @
5fe4b7d0
# frozen_string_literal: true
# Used to represent combined Security Reports. This is typically done for vulnerability deduplication purposes.
module
Gitlab
module
Ci
module
Reports
module
Security
class
AggregatedReport
attr_reader
:occurrences
def
initialize
(
reports
,
occurrences
)
@reports
=
reports
@occurrences
=
occurrences
end
def
created_at
@reports
.
map
(
&
:created_at
).
compact
.
min
end
end
end
end
end
end
ee/lib/gitlab/ci/reports/security/report.rb
View file @
5fe4b7d0
...
@@ -7,6 +7,7 @@ module Gitlab
...
@@ -7,6 +7,7 @@ module Gitlab
class
Report
class
Report
UNSAFE_SEVERITIES
=
%w[unknown high critical]
.
freeze
UNSAFE_SEVERITIES
=
%w[unknown high critical]
.
freeze
attr_reader
:created_at
attr_reader
:type
attr_reader
:type
attr_reader
:commit_sha
attr_reader
:commit_sha
attr_reader
:occurrences
attr_reader
:occurrences
...
@@ -15,9 +16,10 @@ module Gitlab
...
@@ -15,9 +16,10 @@ module Gitlab
attr_accessor
:error
attr_accessor
:error
def
initialize
(
type
,
commit_sha
)
def
initialize
(
type
,
commit_sha
,
created_at
)
@type
=
type
@type
=
type
@commit_sha
=
commit_sha
@commit_sha
=
commit_sha
@created_at
=
created_at
@occurrences
=
[]
@occurrences
=
[]
@scanners
=
{}
@scanners
=
{}
@identifiers
=
{}
@identifiers
=
{}
...
@@ -40,7 +42,7 @@ module Gitlab
...
@@ -40,7 +42,7 @@ module Gitlab
end
end
def
clone_as_blank
def
clone_as_blank
Report
.
new
(
type
,
commit_sha
)
Report
.
new
(
type
,
commit_sha
,
created_at
)
end
end
def
replace_with!
(
other
)
def
replace_with!
(
other
)
...
...
ee/lib/gitlab/ci/reports/security/reports.rb
View file @
5fe4b7d0
...
@@ -14,8 +14,8 @@ module Gitlab
...
@@ -14,8 +14,8 @@ module Gitlab
@commit_sha
=
commit_sha
@commit_sha
=
commit_sha
end
end
def
get_report
(
report_type
)
def
get_report
(
report_type
,
report_artifact
)
reports
[
report_type
]
||=
Report
.
new
(
report_type
,
commit_sha
)
reports
[
report_type
]
||=
Report
.
new
(
report_type
,
commit_sha
,
report_artifact
.
created_at
)
end
end
def
violates_default_policy?
def
violates_default_policy?
...
...
ee/lib/gitlab/ci/reports/security/vulnerability_reports_comparer.rb
View file @
5fe4b7d0
...
@@ -9,27 +9,43 @@ module Gitlab
...
@@ -9,27 +9,43 @@ module Gitlab
attr_reader
:base_report
,
:head_report
attr_reader
:base_report
,
:head_report
ACCEPTABLE_REPORT_AGE
=
1
.
week
def
initialize
(
base_report
,
head_report
)
def
initialize
(
base_report
,
head_report
)
@base_report
=
base_report
||
[]
@base_report
=
base_report
@head_report
=
head_report
||
[]
@head_report
=
head_report
end
def
base_report_created_at
@base_report
.
created_at
end
def
head_report_created_at
@head_report
.
created_at
end
def
base_report_out_of_date
return
false
unless
@base_report
.
created_at
ACCEPTABLE_REPORT_AGE
.
ago
>
@base_report
.
created_at
end
end
def
added
def
added
strong_memoize
(
:added
)
do
strong_memoize
(
:added
)
do
head_report
-
base_report
head_report
.
occurrences
-
base_report
.
occurrences
end
end
end
end
def
fixed
def
fixed
strong_memoize
(
:fixed
)
do
strong_memoize
(
:fixed
)
do
base_report
-
head_report
base_report
.
occurrences
-
head_report
.
occurrences
end
end
end
end
def
existing
def
existing
strong_memoize
(
:existing
)
do
strong_memoize
(
:existing
)
do
# Existing vulnerabilities should point to source report for most recent information
# Existing vulnerabilities should point to source report for most recent information
head_report
&
base_report
head_report
.
occurrences
&
base_report
.
occurrences
end
end
end
end
end
end
...
...
ee/spec/factories/ci/reports/security/aggregated_reports.rb
0 → 100644
View file @
5fe4b7d0
# frozen_string_literal: true
FactoryBot
.
define
do
factory
:ci_reports_security_aggregated_reports
,
class:
::
Gitlab
::
Ci
::
Reports
::
Security
::
AggregatedReport
do
reports
{
FactoryBot
.
build_list
(
:ci_reports_security_report
,
1
)
}
occurrences
{
FactoryBot
.
build_list
(
:ci_reports_security_occurrence
,
1
)
}
initialize_with
do
::
Gitlab
::
Ci
::
Reports
::
Security
::
AggregatedReport
.
new
(
reports
,
occurrences
)
end
end
end
ee/spec/factories/ci/reports/security/reports.rb
View file @
5fe4b7d0
...
@@ -4,6 +4,7 @@ FactoryBot.define do
...
@@ -4,6 +4,7 @@ FactoryBot.define do
factory
:ci_reports_security_report
,
class:
::
Gitlab
::
Ci
::
Reports
::
Security
::
Report
do
factory
:ci_reports_security_report
,
class:
::
Gitlab
::
Ci
::
Reports
::
Security
::
Report
do
type
{
:sast
}
type
{
:sast
}
commit_sha
{
Digest
::
SHA1
.
hexdigest
(
SecureRandom
.
hex
)
}
commit_sha
{
Digest
::
SHA1
.
hexdigest
(
SecureRandom
.
hex
)
}
created_at
{
2
.
weeks
.
ago
}
transient
do
transient
do
occurrences
{
[]
}
occurrences
{
[]
}
...
@@ -20,7 +21,7 @@ FactoryBot.define do
...
@@ -20,7 +21,7 @@ FactoryBot.define do
skip_create
skip_create
initialize_with
do
initialize_with
do
::
Gitlab
::
Ci
::
Reports
::
Security
::
Report
.
new
(
type
,
commit_sha
)
::
Gitlab
::
Ci
::
Reports
::
Security
::
Report
.
new
(
type
,
commit_sha
,
created_at
)
end
end
end
end
end
end
ee/spec/finders/security/pipeline_vulnerabilities_finder_spec.rb
View file @
5fe4b7d0
...
@@ -53,8 +53,9 @@ describe Security::PipelineVulnerabilitiesFinder do
...
@@ -53,8 +53,9 @@ describe Security::PipelineVulnerabilitiesFinder do
subject
{
described_class
.
new
(
pipeline:
pipeline
,
params:
params
).
execute
}
subject
{
described_class
.
new
(
pipeline:
pipeline
,
params:
params
).
execute
}
context
'occurrences'
do
it
'assigns commit sha to findings'
do
it
'assigns commit sha to findings'
do
expect
(
subject
.
map
(
&
:sha
).
uniq
).
to
eq
[
pipeline
.
sha
]
expect
(
subject
.
occurrences
.
map
(
&
:sha
).
uniq
).
to
eq
([
pipeline
.
sha
])
end
end
context
'by order'
do
context
'by order'
do
...
@@ -77,7 +78,8 @@ describe Security::PipelineVulnerabilitiesFinder do
...
@@ -77,7 +78,8 @@ describe Security::PipelineVulnerabilitiesFinder do
high_high
high_high
])
])
expect
(
subject
).
to
eq
([
critical_high
,
critical_medium
,
high_high
,
unknown_high
,
unknown_medium
,
unknown_low
])
expect
(
subject
.
occurrences
).
to
eq
([
critical_high
,
critical_medium
,
high_high
,
unknown_high
,
unknown_medium
,
unknown_low
])
end
end
end
end
end
end
end
...
@@ -88,8 +90,8 @@ describe Security::PipelineVulnerabilitiesFinder do
...
@@ -88,8 +90,8 @@ describe Security::PipelineVulnerabilitiesFinder do
let
(
:sast_report_fingerprints
)
{
pipeline
.
security_reports
.
reports
[
'sast'
].
occurrences
.
map
(
&
:location
).
map
(
&
:fingerprint
)
}
let
(
:sast_report_fingerprints
)
{
pipeline
.
security_reports
.
reports
[
'sast'
].
occurrences
.
map
(
&
:location
).
map
(
&
:fingerprint
)
}
it
'includes only sast'
do
it
'includes only sast'
do
expect
(
subject
.
map
(
&
:location_fingerprint
)).
to
match_array
(
sast_report_fingerprints
)
expect
(
subject
.
occurrences
.
map
(
&
:location_fingerprint
)).
to
match_array
(
sast_report_fingerprints
)
expect
(
subject
.
count
).
to
eq
sast_count
expect
(
subject
.
occurrences
.
count
).
to
eq
(
sast_count
)
end
end
end
end
...
@@ -98,8 +100,8 @@ describe Security::PipelineVulnerabilitiesFinder do
...
@@ -98,8 +100,8 @@ describe Security::PipelineVulnerabilitiesFinder do
let
(
:ds_report_fingerprints
)
{
pipeline
.
security_reports
.
reports
[
'dependency_scanning'
].
occurrences
.
map
(
&
:location
).
map
(
&
:fingerprint
)
}
let
(
:ds_report_fingerprints
)
{
pipeline
.
security_reports
.
reports
[
'dependency_scanning'
].
occurrences
.
map
(
&
:location
).
map
(
&
:fingerprint
)
}
it
'includes only dependency_scanning'
do
it
'includes only dependency_scanning'
do
expect
(
subject
.
map
(
&
:location_fingerprint
)).
to
match_array
(
ds_report_fingerprints
)
expect
(
subject
.
occurrences
.
map
(
&
:location_fingerprint
)).
to
match_array
(
ds_report_fingerprints
)
expect
(
subject
.
count
).
to
eq
ds_count
expect
(
subject
.
occurrences
.
count
).
to
eq
(
ds_count
)
end
end
end
end
...
@@ -108,8 +110,8 @@ describe Security::PipelineVulnerabilitiesFinder do
...
@@ -108,8 +110,8 @@ describe Security::PipelineVulnerabilitiesFinder do
let
(
:dast_report_fingerprints
)
{
pipeline
.
security_reports
.
reports
[
'dast'
].
occurrences
.
map
(
&
:location
).
map
(
&
:fingerprint
)
}
let
(
:dast_report_fingerprints
)
{
pipeline
.
security_reports
.
reports
[
'dast'
].
occurrences
.
map
(
&
:location
).
map
(
&
:fingerprint
)
}
it
'includes only dast'
do
it
'includes only dast'
do
expect
(
subject
.
map
(
&
:location_fingerprint
)).
to
match_array
(
dast_report_fingerprints
)
expect
(
subject
.
occurrences
.
map
(
&
:location_fingerprint
)).
to
match_array
(
dast_report_fingerprints
)
expect
(
subject
.
count
).
to
eq
dast_count
expect
(
subject
.
occurrences
.
count
).
to
eq
(
dast_count
)
end
end
end
end
...
@@ -118,8 +120,8 @@ describe Security::PipelineVulnerabilitiesFinder do
...
@@ -118,8 +120,8 @@ describe Security::PipelineVulnerabilitiesFinder do
it
'includes only container_scanning'
do
it
'includes only container_scanning'
do
fingerprints
=
pipeline
.
security_reports
.
reports
[
'container_scanning'
].
occurrences
.
map
(
&
:location
).
map
(
&
:fingerprint
)
fingerprints
=
pipeline
.
security_reports
.
reports
[
'container_scanning'
].
occurrences
.
map
(
&
:location
).
map
(
&
:fingerprint
)
expect
(
subject
.
map
(
&
:location_fingerprint
)).
to
match_array
(
fingerprints
)
expect
(
subject
.
occurrences
.
map
(
&
:location_fingerprint
)).
to
match_array
(
fingerprints
)
expect
(
subject
.
count
).
to
eq
cs_count
expect
(
subject
.
occurrences
.
count
).
to
eq
(
cs_count
)
end
end
end
end
end
end
...
@@ -155,8 +157,8 @@ describe Security::PipelineVulnerabilitiesFinder do
...
@@ -155,8 +157,8 @@ describe Security::PipelineVulnerabilitiesFinder do
subject
{
described_class
.
new
(
pipeline:
pipeline
).
execute
}
subject
{
described_class
.
new
(
pipeline:
pipeline
).
execute
}
it
'returns non-dismissed vulnerabilities'
do
it
'returns non-dismissed vulnerabilities'
do
expect
(
subject
.
count
).
to
eq
cs_count
+
dast_count
+
ds_count
+
sast_count
-
feedback
.
count
expect
(
subject
.
occurrences
.
count
).
to
eq
(
cs_count
+
dast_count
+
ds_count
+
sast_count
-
feedback
.
count
)
expect
(
subject
.
map
(
&
:project_fingerprint
)).
not_to
include
(
*
feedback
.
map
(
&
:project_fingerprint
))
expect
(
subject
.
occurrences
.
map
(
&
:project_fingerprint
)).
not_to
include
(
*
feedback
.
map
(
&
:project_fingerprint
))
end
end
end
end
...
@@ -164,8 +166,8 @@ describe Security::PipelineVulnerabilitiesFinder do
...
@@ -164,8 +166,8 @@ describe Security::PipelineVulnerabilitiesFinder do
subject
{
described_class
.
new
(
pipeline:
pipeline
,
params:
{
report_type:
%w[dependency_scanning]
,
scope:
'dismissed'
}
).
execute
}
subject
{
described_class
.
new
(
pipeline:
pipeline
,
params:
{
report_type:
%w[dependency_scanning]
,
scope:
'dismissed'
}
).
execute
}
it
'returns non-dismissed vulnerabilities'
do
it
'returns non-dismissed vulnerabilities'
do
expect
(
subject
.
count
).
to
eq
(
ds_count
-
1
)
expect
(
subject
.
occurrences
.
count
).
to
eq
(
ds_count
-
1
)
expect
(
subject
.
map
(
&
:project_fingerprint
)).
not_to
include
(
ds_occurrence
.
project_fingerprint
)
expect
(
subject
.
occurrences
.
map
(
&
:project_fingerprint
)).
not_to
include
(
ds_occurrence
.
project_fingerprint
)
end
end
end
end
...
@@ -173,7 +175,7 @@ describe Security::PipelineVulnerabilitiesFinder do
...
@@ -173,7 +175,7 @@ describe Security::PipelineVulnerabilitiesFinder do
let
(
:params
)
{
{
report_type:
%w[sast dast container_scanning dependency_scanning]
,
scope:
'all'
}
}
let
(
:params
)
{
{
report_type:
%w[sast dast container_scanning dependency_scanning]
,
scope:
'all'
}
}
it
'returns all vulnerabilities'
do
it
'returns all vulnerabilities'
do
expect
(
subject
.
count
).
to
eq
cs_count
+
dast_count
+
ds_count
+
sast_count
expect
(
subject
.
occurrences
.
count
).
to
eq
(
cs_count
+
dast_count
+
ds_count
+
sast_count
)
end
end
end
end
end
end
...
@@ -183,7 +185,7 @@ describe Security::PipelineVulnerabilitiesFinder do
...
@@ -183,7 +185,7 @@ describe Security::PipelineVulnerabilitiesFinder do
subject
{
described_class
.
new
(
pipeline:
pipeline
).
execute
}
subject
{
described_class
.
new
(
pipeline:
pipeline
).
execute
}
it
'returns all vulnerability severity levels'
do
it
'returns all vulnerability severity levels'
do
expect
(
subject
.
map
(
&
:severity
).
uniq
).
to
match_array
%w[undefined unknown low medium high critical info]
expect
(
subject
.
occurrences
.
map
(
&
:severity
).
uniq
).
to
match_array
(
%w[undefined unknown low medium high critical info]
)
end
end
end
end
...
@@ -191,7 +193,7 @@ describe Security::PipelineVulnerabilitiesFinder do
...
@@ -191,7 +193,7 @@ describe Security::PipelineVulnerabilitiesFinder do
subject
{
described_class
.
new
(
pipeline:
pipeline
,
params:
{
severity:
'low'
}
).
execute
}
subject
{
described_class
.
new
(
pipeline:
pipeline
,
params:
{
severity:
'low'
}
).
execute
}
it
'returns only low-severity vulnerabilities'
do
it
'returns only low-severity vulnerabilities'
do
expect
(
subject
.
map
(
&
:severity
).
uniq
).
to
match_array
%w[low]
expect
(
subject
.
occurrences
.
map
(
&
:severity
).
uniq
).
to
match_array
(
%w[low]
)
end
end
end
end
end
end
...
@@ -201,7 +203,7 @@ describe Security::PipelineVulnerabilitiesFinder do
...
@@ -201,7 +203,7 @@ describe Security::PipelineVulnerabilitiesFinder do
subject
{
described_class
.
new
(
pipeline:
pipeline
).
execute
}
subject
{
described_class
.
new
(
pipeline:
pipeline
).
execute
}
it
'returns all vulnerability confidence levels'
do
it
'returns all vulnerability confidence levels'
do
expect
(
subject
.
map
(
&
:confidence
).
uniq
).
to
match_array
%w[undefined unknown low medium high]
expect
(
subject
.
occurrences
.
map
(
&
:confidence
).
uniq
).
to
match_array
%w[undefined unknown low medium high]
end
end
end
end
...
@@ -209,7 +211,7 @@ describe Security::PipelineVulnerabilitiesFinder do
...
@@ -209,7 +211,7 @@ describe Security::PipelineVulnerabilitiesFinder do
subject
{
described_class
.
new
(
pipeline:
pipeline
,
params:
{
confidence:
'medium'
}
).
execute
}
subject
{
described_class
.
new
(
pipeline:
pipeline
,
params:
{
confidence:
'medium'
}
).
execute
}
it
'returns only medium-confidence vulnerabilities'
do
it
'returns only medium-confidence vulnerabilities'
do
expect
(
subject
.
map
(
&
:confidence
).
uniq
).
to
match_array
%w[medium]
expect
(
subject
.
occurrences
.
map
(
&
:confidence
).
uniq
).
to
match_array
(
%w[medium]
)
end
end
end
end
end
end
...
@@ -219,9 +221,9 @@ describe Security::PipelineVulnerabilitiesFinder do
...
@@ -219,9 +221,9 @@ describe Security::PipelineVulnerabilitiesFinder do
let
(
:params
)
{
{
report_type:
%w[sast dast container_scanning dependency_scanning]
,
scope:
'all'
}
}
let
(
:params
)
{
{
report_type:
%w[sast dast container_scanning dependency_scanning]
,
scope:
'all'
}
}
it
'filters by all params'
do
it
'filters by all params'
do
expect
(
subject
.
count
).
to
eq
cs_count
+
dast_count
+
ds_count
+
sast_count
expect
(
subject
.
occurrences
.
count
).
to
eq
(
cs_count
+
dast_count
+
ds_count
+
sast_count
)
expect
(
subject
.
map
(
&
:confidence
).
uniq
).
to
match_array
%w[undefined unknown low medium high]
expect
(
subject
.
occurrences
.
map
(
&
:confidence
).
uniq
).
to
match_array
(
%w[undefined unknown low medium high]
)
expect
(
subject
.
map
(
&
:severity
).
uniq
).
to
match_array
%w[undefined unknown low medium high critical info]
expect
(
subject
.
occurrences
.
map
(
&
:severity
).
uniq
).
to
match_array
(
%w[undefined unknown low medium high critical info]
)
end
end
end
end
...
@@ -229,7 +231,8 @@ describe Security::PipelineVulnerabilitiesFinder do
...
@@ -229,7 +231,8 @@ describe Security::PipelineVulnerabilitiesFinder do
let
(
:params
)
{
{
report_type:
%w[code_quality]
}
}
let
(
:params
)
{
{
report_type:
%w[code_quality]
}
}
it
'did not find anything'
do
it
'did not find anything'
do
is_expected
.
to
be_empty
expect
(
subject
.
created_at
).
to
be_nil
expect
(
subject
.
occurrences
).
to
be_empty
end
end
end
end
end
end
...
@@ -238,7 +241,7 @@ describe Security::PipelineVulnerabilitiesFinder do
...
@@ -238,7 +241,7 @@ describe Security::PipelineVulnerabilitiesFinder do
subject
{
described_class
.
new
(
pipeline:
pipeline
).
execute
}
subject
{
described_class
.
new
(
pipeline:
pipeline
).
execute
}
it
'returns all report_types'
do
it
'returns all report_types'
do
expect
(
subject
.
count
).
to
eq
cs_count
+
dast_count
+
ds_count
+
sast_count
expect
(
subject
.
occurrences
.
count
).
to
eq
(
cs_count
+
dast_count
+
ds_count
+
sast_count
)
end
end
end
end
...
@@ -279,14 +282,14 @@ describe Security::PipelineVulnerabilitiesFinder do
...
@@ -279,14 +282,14 @@ describe Security::PipelineVulnerabilitiesFinder do
subject
{
described_class
.
new
(
pipeline:
pipeline
,
params:
{
report_type:
%w[sast]
,
scope:
'all'
}).
execute
}
subject
{
described_class
.
new
(
pipeline:
pipeline
,
params:
{
report_type:
%w[sast]
,
scope:
'all'
}).
execute
}
it
'assigns vulnerability records to findings providing them with computed state'
do
it
'assigns vulnerability records to findings providing them with computed state'
do
confirmed
=
subject
.
find
{
|
f
|
f
.
project_fingerprint
==
confirmed_fingerprint
}
confirmed
=
subject
.
occurrences
.
find
{
|
f
|
f
.
project_fingerprint
==
confirmed_fingerprint
}
resolved
=
subject
.
find
{
|
f
|
f
.
project_fingerprint
==
resolved_fingerprint
}
resolved
=
subject
.
occurrences
.
find
{
|
f
|
f
.
project_fingerprint
==
resolved_fingerprint
}
dismissed
=
subject
.
find
{
|
f
|
f
.
project_fingerprint
==
dismissed_fingerprint
}
dismissed
=
subject
.
occurrences
.
find
{
|
f
|
f
.
project_fingerprint
==
dismissed_fingerprint
}
expect
(
confirmed
.
state
).
to
eq
'confirmed'
expect
(
confirmed
.
state
).
to
eq
'confirmed'
expect
(
resolved
.
state
).
to
eq
'resolved'
expect
(
resolved
.
state
).
to
eq
'resolved'
expect
(
dismissed
.
state
).
to
eq
'dismissed'
expect
(
dismissed
.
state
).
to
eq
'dismissed'
expect
(
subject
-
[
confirmed
,
resolved
,
dismissed
]).
to
all
have_attributes
(
state:
'opened'
)
expect
(
subject
.
occurrences
-
[
confirmed
,
resolved
,
dismissed
]).
to
all
(
have_attributes
(
state:
'opened'
)
)
end
end
end
end
...
@@ -297,7 +300,7 @@ describe Security::PipelineVulnerabilitiesFinder do
...
@@ -297,7 +300,7 @@ describe Security::PipelineVulnerabilitiesFinder do
select_proc
=
proc
{
|
o
|
o
.
severity
==
'medium'
&&
o
.
confidence
==
'high'
}
select_proc
=
proc
{
|
o
|
o
.
severity
==
'medium'
&&
o
.
confidence
==
'high'
}
report_occurrences
=
pipeline
.
security_reports
.
reports
[
'sast'
].
occurrences
.
select
(
&
select_proc
)
report_occurrences
=
pipeline
.
security_reports
.
reports
[
'sast'
].
occurrences
.
select
(
&
select_proc
)
found_occurrences
=
subject
.
select
(
&
select_proc
)
found_occurrences
=
subject
.
occurrences
.
select
(
&
select_proc
)
found_occurrences
.
each_with_index
do
|
found
,
i
|
found_occurrences
.
each_with_index
do
|
found
,
i
|
expect
(
found
.
metadata
[
'cve'
]).
to
eq
(
report_occurrences
[
i
].
compare_key
)
expect
(
found
.
metadata
[
'cve'
]).
to
eq
(
report_occurrences
[
i
].
compare_key
)
...
...
ee/spec/lib/gitlab/ci/parsers/security/container_scanning_spec.rb
View file @
5fe4b7d0
...
@@ -6,7 +6,7 @@ describe Gitlab::Ci::Parsers::Security::ContainerScanning do
...
@@ -6,7 +6,7 @@ describe Gitlab::Ci::Parsers::Security::ContainerScanning do
let
(
:parser
)
{
described_class
.
new
}
let
(
:parser
)
{
described_class
.
new
}
let
(
:project
)
{
artifact
.
project
}
let
(
:project
)
{
artifact
.
project
}
let
(
:pipeline
)
{
artifact
.
job
.
pipeline
}
let
(
:pipeline
)
{
artifact
.
job
.
pipeline
}
let
(
:report
)
{
Gitlab
::
Ci
::
Reports
::
Security
::
Report
.
new
(
artifact
.
file_type
,
pipeline
.
sha
)
}
let
(
:report
)
{
Gitlab
::
Ci
::
Reports
::
Security
::
Report
.
new
(
artifact
.
file_type
,
pipeline
.
sha
,
2
.
weeks
.
ago
)
}
before
do
before
do
artifact
.
each_blob
do
|
blob
|
artifact
.
each_blob
do
|
blob
|
...
...
ee/spec/lib/gitlab/ci/parsers/security/dast_spec.rb
View file @
5fe4b7d0
...
@@ -9,7 +9,7 @@ describe Gitlab::Ci::Parsers::Security::Dast do
...
@@ -9,7 +9,7 @@ describe Gitlab::Ci::Parsers::Security::Dast do
let
(
:project
)
{
artifact
.
project
}
let
(
:project
)
{
artifact
.
project
}
let
(
:pipeline
)
{
artifact
.
job
.
pipeline
}
let
(
:pipeline
)
{
artifact
.
job
.
pipeline
}
let
(
:artifact
)
{
create
(
:ee_ci_job_artifact
,
:dast
)
}
let
(
:artifact
)
{
create
(
:ee_ci_job_artifact
,
:dast
)
}
let
(
:report
)
{
Gitlab
::
Ci
::
Reports
::
Security
::
Report
.
new
(
artifact
.
file_type
,
pipeline
.
sha
)
}
let
(
:report
)
{
Gitlab
::
Ci
::
Reports
::
Security
::
Report
.
new
(
artifact
.
file_type
,
pipeline
.
sha
,
2
.
weeks
.
ago
)
}
let
(
:parser
)
{
described_class
.
new
}
let
(
:parser
)
{
described_class
.
new
}
where
(
:report_format
,
where
(
:report_format
,
...
...
ee/spec/lib/gitlab/ci/parsers/security/dependency_scanning_spec.rb
View file @
5fe4b7d0
...
@@ -9,7 +9,7 @@ describe Gitlab::Ci::Parsers::Security::DependencyScanning do
...
@@ -9,7 +9,7 @@ describe Gitlab::Ci::Parsers::Security::DependencyScanning do
let
(
:project
)
{
artifact
.
project
}
let
(
:project
)
{
artifact
.
project
}
let
(
:pipeline
)
{
artifact
.
job
.
pipeline
}
let
(
:pipeline
)
{
artifact
.
job
.
pipeline
}
let
(
:artifact
)
{
create
(
:ee_ci_job_artifact
,
:dependency_scanning
)
}
let
(
:artifact
)
{
create
(
:ee_ci_job_artifact
,
:dependency_scanning
)
}
let
(
:report
)
{
Gitlab
::
Ci
::
Reports
::
Security
::
Report
.
new
(
artifact
.
file_type
,
pipeline
.
sha
)
}
let
(
:report
)
{
Gitlab
::
Ci
::
Reports
::
Security
::
Report
.
new
(
artifact
.
file_type
,
pipeline
.
sha
,
2
.
weeks
.
ago
)
}
let
(
:parser
)
{
described_class
.
new
}
let
(
:parser
)
{
described_class
.
new
}
where
(
:report_format
,
:occurrence_count
,
:identifier_count
,
:scanner_count
,
:file_path
,
:package_name
,
:package_version
,
:version
)
do
where
(
:report_format
,
:occurrence_count
,
:identifier_count
,
:scanner_count
,
:file_path
,
:package_name
,
:package_version
,
:version
)
do
...
...
ee/spec/lib/gitlab/ci/parsers/security/sast_spec.rb
View file @
5fe4b7d0
...
@@ -7,12 +7,13 @@ describe Gitlab::Ci::Parsers::Security::Sast do
...
@@ -7,12 +7,13 @@ describe Gitlab::Ci::Parsers::Security::Sast do
subject
(
:parser
)
{
described_class
.
new
}
subject
(
:parser
)
{
described_class
.
new
}
let
(
:commit_sha
)
{
"d8978e74745e18ce44d88814004d4255ac6a65bb"
}
let
(
:commit_sha
)
{
"d8978e74745e18ce44d88814004d4255ac6a65bb"
}
let
(
:created_at
)
{
2
.
weeks
.
ago
}
context
"when parsing valid reports"
do
context
"when parsing valid reports"
do
where
(
report_format:
%i(sast sast_deprecated)
)
where
(
report_format:
%i(sast sast_deprecated)
)
with_them
do
with_them
do
let
(
:report
)
{
Gitlab
::
Ci
::
Reports
::
Security
::
Report
.
new
(
artifact
.
file_type
,
commit_sha
)
}
let
(
:report
)
{
Gitlab
::
Ci
::
Reports
::
Security
::
Report
.
new
(
artifact
.
file_type
,
commit_sha
,
created_at
)
}
let
(
:artifact
)
{
create
(
:ee_ci_job_artifact
,
report_format
)
}
let
(
:artifact
)
{
create
(
:ee_ci_job_artifact
,
report_format
)
}
before
do
before
do
...
@@ -47,7 +48,7 @@ describe Gitlab::Ci::Parsers::Security::Sast do
...
@@ -47,7 +48,7 @@ describe Gitlab::Ci::Parsers::Security::Sast do
end
end
context
"when parsing an empty report"
do
context
"when parsing an empty report"
do
let
(
:report
)
{
Gitlab
::
Ci
::
Reports
::
Security
::
Report
.
new
(
'sast'
,
commit_sha
)
}
let
(
:report
)
{
Gitlab
::
Ci
::
Reports
::
Security
::
Report
.
new
(
'sast'
,
commit_sha
,
created_at
)
}
let
(
:blob
)
{
JSON
.
generate
({})
}
let
(
:blob
)
{
JSON
.
generate
({})
}
it
{
expect
(
parser
.
parse!
(
blob
,
report
)).
to
be_empty
}
it
{
expect
(
parser
.
parse!
(
blob
,
report
)).
to
be_empty
}
...
...
ee/spec/lib/gitlab/ci/reports/security/aggregated_report_spec.rb
0 → 100644
View file @
5fe4b7d0
# frozen_string_literal: true
require
'spec_helper'
describe
Gitlab
::
Ci
::
Reports
::
Security
::
AggregatedReport
do
subject
{
described_class
.
new
(
reports
,
occurrences
)
}
let
(
:reports
)
{
build_list
(
:ci_reports_security_report
,
1
)
}
let
(
:occurrences
)
{
build_list
(
:ci_reports_security_occurrence
,
1
)
}
describe
'#created_at'
do
context
'no reports'
do
let
(
:reports
)
{
[]
}
it
'has no created date'
do
expect
(
subject
.
created_at
).
to
be_nil
end
end
context
'report with no created date'
do
let
(
:reports
)
{
build_list
(
:ci_reports_security_report
,
1
,
created_at:
nil
)
}
it
'has no created date'
do
expect
(
subject
.
created_at
).
to
be_nil
end
end
context
'has reports'
do
let
(
:a_long_time_ago
)
{
2
.
months
.
ago
}
let
(
:a_while_ago
)
{
2
.
weeks
.
ago
}
let
(
:yesterday
)
{
1
.
day
.
ago
}
let
(
:reports
)
do
[
build
(
:ci_reports_security_report
,
created_at:
a_while_ago
),
build
(
:ci_reports_security_report
,
created_at:
a_long_time_ago
),
build
(
:ci_reports_security_report
,
created_at:
nil
),
build
(
:ci_reports_security_report
,
created_at:
yesterday
)]
end
it
'has oldest created date'
do
expect
(
subject
.
created_at
).
to
eq
(
a_long_time_ago
)
end
end
end
end
ee/spec/lib/gitlab/ci/reports/security/report_spec.rb
View file @
5fe4b7d0
...
@@ -3,8 +3,9 @@
...
@@ -3,8 +3,9 @@
require
'spec_helper'
require
'spec_helper'
describe
Gitlab
::
Ci
::
Reports
::
Security
::
Report
do
describe
Gitlab
::
Ci
::
Reports
::
Security
::
Report
do
let
(
:report
)
{
described_class
.
new
(
'sast'
,
commit_sha
)
}
let
(
:report
)
{
described_class
.
new
(
'sast'
,
commit_sha
,
created_at
)
}
let
(
:commit_sha
)
{
"d8978e74745e18ce44d88814004d4255ac6a65bb"
}
let
(
:commit_sha
)
{
"d8978e74745e18ce44d88814004d4255ac6a65bb"
}
let
(
:created_at
)
{
2
.
weeks
.
ago
}
it
{
expect
(
report
.
type
).
to
eq
(
'sast'
)
}
it
{
expect
(
report
.
type
).
to
eq
(
'sast'
)
}
...
@@ -65,6 +66,7 @@ describe Gitlab::Ci::Reports::Security::Report do
...
@@ -65,6 +66,7 @@ describe Gitlab::Ci::Reports::Security::Report do
expect
(
clone
.
type
).
to
eq
(
report
.
type
)
expect
(
clone
.
type
).
to
eq
(
report
.
type
)
expect
(
clone
.
commit_sha
).
to
eq
(
report
.
commit_sha
)
expect
(
clone
.
commit_sha
).
to
eq
(
report
.
commit_sha
)
expect
(
clone
.
created_at
).
to
eq
(
report
.
created_at
)
expect
(
clone
.
occurrences
).
to
eq
([])
expect
(
clone
.
occurrences
).
to
eq
([])
expect
(
clone
.
scanners
).
to
eq
({})
expect
(
clone
.
scanners
).
to
eq
({})
expect
(
clone
.
identifiers
).
to
eq
({})
expect
(
clone
.
identifiers
).
to
eq
({})
...
@@ -111,7 +113,7 @@ describe Gitlab::Ci::Reports::Security::Report do
...
@@ -111,7 +113,7 @@ describe Gitlab::Ci::Reports::Security::Report do
allow
(
report
).
to
receive
(
:replace_with!
)
allow
(
report
).
to
receive
(
:replace_with!
)
end
end
subject
{
report
.
merge!
(
described_class
.
new
(
'sast'
,
commit_sha
))
}
subject
{
report
.
merge!
(
described_class
.
new
(
'sast'
,
commit_sha
,
created_at
))
}
it
'invokes the merge with other report and then replaces this report contents by merge result'
do
it
'invokes the merge with other report and then replaces this report contents by merge result'
do
subject
subject
...
@@ -121,7 +123,7 @@ describe Gitlab::Ci::Reports::Security::Report do
...
@@ -121,7 +123,7 @@ describe Gitlab::Ci::Reports::Security::Report do
end
end
describe
"#safe?"
do
describe
"#safe?"
do
subject
{
described_class
.
new
(
'sast'
,
commit_sha
)
}
subject
{
described_class
.
new
(
'sast'
,
commit_sha
,
created_at
)
}
context
"when the sast report has an unsafe vulnerability"
do
context
"when the sast report has an unsafe vulnerability"
do
where
(
severity:
%w[unknown Unknown high High critical Critical]
)
where
(
severity:
%w[unknown Unknown high High critical Critical]
)
...
...
ee/spec/lib/gitlab/ci/reports/security/reports_spec.rb
View file @
5fe4b7d0
...
@@ -5,19 +5,21 @@ require 'spec_helper'
...
@@ -5,19 +5,21 @@ require 'spec_helper'
describe
Gitlab
::
Ci
::
Reports
::
Security
::
Reports
do
describe
Gitlab
::
Ci
::
Reports
::
Security
::
Reports
do
let
(
:commit_sha
)
{
'20410773a37f49d599e5f0d45219b39304763538'
}
let
(
:commit_sha
)
{
'20410773a37f49d599e5f0d45219b39304763538'
}
let
(
:security_reports
)
{
described_class
.
new
(
commit_sha
)
}
let
(
:security_reports
)
{
described_class
.
new
(
commit_sha
)
}
let
(
:artifact
)
{
create
(
:ee_ci_job_artifact
,
:sast
)
}
describe
'#get_report'
do
describe
'#get_report'
do
subject
{
security_reports
.
get_report
(
report_type
)
}
subject
{
security_reports
.
get_report
(
report_type
,
artifact
)
}
context
'when report type is sast'
do
context
'when report type is sast'
do
let
(
:report_type
)
{
'sast'
}
let
(
:report_type
)
{
'sast'
}
it
{
expect
(
subject
.
type
).
to
eq
(
'sast'
)
}
it
{
expect
(
subject
.
type
).
to
eq
(
'sast'
)
}
it
{
expect
(
subject
.
commit_sha
).
to
eq
(
commit_sha
)
}
it
{
expect
(
subject
.
commit_sha
).
to
eq
(
commit_sha
)
}
it
{
expect
(
subject
.
created_at
).
to
eq
(
artifact
.
created_at
)
}
it
'initializes a new report and returns it'
do
it
'initializes a new report and returns it'
do
expect
(
Gitlab
::
Ci
::
Reports
::
Security
::
Report
).
to
receive
(
:new
)
expect
(
Gitlab
::
Ci
::
Reports
::
Security
::
Report
).
to
receive
(
:new
)
.
with
(
'sast'
,
commit_sha
).
and_call_original
.
with
(
'sast'
,
commit_sha
,
artifact
.
created_at
).
and_call_original
is_expected
.
to
be_a
(
Gitlab
::
Ci
::
Reports
::
Security
::
Report
)
is_expected
.
to
be_a
(
Gitlab
::
Ci
::
Reports
::
Security
::
Report
)
end
end
...
@@ -44,8 +46,8 @@ describe Gitlab::Ci::Reports::Security::Reports do
...
@@ -44,8 +46,8 @@ describe Gitlab::Ci::Reports::Security::Reports do
context
"when a report has a high severity vulnerability"
do
context
"when a report has a high severity vulnerability"
do
before
do
before
do
subject
.
get_report
(
'sast'
).
add_occurrence
(
high_severity
)
subject
.
get_report
(
'sast'
,
artifact
).
add_occurrence
(
high_severity
)
subject
.
get_report
(
'dependency_scanning'
).
add_occurrence
(
low_severity
)
subject
.
get_report
(
'dependency_scanning'
,
artifact
).
add_occurrence
(
low_severity
)
end
end
it
{
expect
(
subject
.
violates_default_policy?
).
to
be
(
true
)
}
it
{
expect
(
subject
.
violates_default_policy?
).
to
be
(
true
)
}
...
@@ -53,8 +55,8 @@ describe Gitlab::Ci::Reports::Security::Reports do
...
@@ -53,8 +55,8 @@ describe Gitlab::Ci::Reports::Security::Reports do
context
"when none of the reports have a high severity vulnerability"
do
context
"when none of the reports have a high severity vulnerability"
do
before
do
before
do
subject
.
get_report
(
'sast'
).
add_occurrence
(
low_severity
)
subject
.
get_report
(
'sast'
,
artifact
).
add_occurrence
(
low_severity
)
subject
.
get_report
(
'dependency_scanning'
).
add_occurrence
(
low_severity
)
subject
.
get_report
(
'dependency_scanning'
,
artifact
).
add_occurrence
(
low_severity
)
end
end
it
{
expect
(
subject
.
violates_default_policy?
).
to
be
(
false
)
}
it
{
expect
(
subject
.
violates_default_policy?
).
to
be
(
false
)
}
...
...
ee/spec/lib/gitlab/ci/reports/security/vulnerability_reports_comparer_spec.rb
View file @
5fe4b7d0
...
@@ -3,41 +3,73 @@
...
@@ -3,41 +3,73 @@
require
'spec_helper'
require
'spec_helper'
describe
Gitlab
::
Ci
::
Reports
::
Security
::
VulnerabilityReportsComparer
do
describe
Gitlab
::
Ci
::
Reports
::
Security
::
VulnerabilityReportsComparer
do
let!
(
:identifier
)
{
build
(
:vulnerabilities_identifier
)
}
let
(
:identifier
)
{
build
(
:vulnerabilities_identifier
)
}
let!
(
:base_vulnerability
)
{
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'123'
,
confidence:
Vulnerabilities
::
Occurrence
::
CONFIDENCE_LEVELS
[
:high
],
severity:
Vulnerabilities
::
Occurrence
::
SEVERITY_LEVELS
[
:critical
])
}
let!
(
:head_vulnerability
)
{
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'123'
,
confidence:
Vulnerabilities
::
Occurrence
::
CONFIDENCE_LEVELS
[
:high
],
severity:
Vulnerabilities
::
Occurrence
::
SEVERITY_LEVELS
[
:critical
])
}
let
(
:base_vulnerability
)
{
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'123'
,
confidence:
Vulnerabilities
::
Occurrence
::
CONFIDENCE_LEVELS
[
:high
],
severity:
Vulnerabilities
::
Occurrence
::
SEVERITY_LEVELS
[
:critical
])
}
let
(
:base_report
)
{
build
(
:ci_reports_security_aggregated_reports
,
occurrences:
[
base_vulnerability
])}
let
(
:head_vulnerability
)
{
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'123'
,
confidence:
Vulnerabilities
::
Occurrence
::
CONFIDENCE_LEVELS
[
:high
],
severity:
Vulnerabilities
::
Occurrence
::
SEVERITY_LEVELS
[
:critical
])
}
let
(
:head_report
)
{
build
(
:ci_reports_security_aggregated_reports
,
occurrences:
[
head_vulnerability
])}
before
do
before
do
allow
(
base_vulnerability
).
to
receive
(
:location
).
and_return
({})
allow
(
base_vulnerability
).
to
receive
(
:location
).
and_return
({})
allow
(
head_vulnerability
).
to
receive
(
:location
).
and_return
({})
allow
(
head_vulnerability
).
to
receive
(
:location
).
and_return
({})
end
end
subject
{
described_class
.
new
(
base_report
,
head_report
)
}
describe
'#base_report_out_of_date'
do
context
'no base report'
do
let
(
:base_report
)
{
build
(
:ci_reports_security_aggregated_reports
,
reports:
[],
occurrences:
[])}
it
'is not out of date'
do
expect
(
subject
.
base_report_out_of_date
).
to
be
false
end
end
context
'base report older than one week'
do
let
(
:report
)
{
build
(
:ci_reports_security_report
,
created_at:
1
.
week
.
ago
-
60
.
seconds
)
}
let
(
:base_report
)
{
build
(
:ci_reports_security_aggregated_reports
,
reports:
[
report
])}
it
'is not out of date'
do
expect
(
subject
.
base_report_out_of_date
).
to
be
true
end
end
context
'base report less than one week old'
do
let
(
:report
)
{
build
(
:ci_reports_security_report
,
created_at:
1
.
week
.
ago
+
60
.
seconds
)
}
let
(
:base_report
)
{
build
(
:ci_reports_security_aggregated_reports
,
reports:
[
report
])}
it
'is not out of date'
do
expect
(
subject
.
base_report_out_of_date
).
to
be
false
end
end
end
describe
'#existing'
do
describe
'#existing'
do
context
'with existing reports'
do
context
'with existing reports'
do
let
(
:vuln
)
{
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'888'
,
confidence:
Vulnerabilities
::
Occurrence
::
CONFIDENCE_LEVELS
[
:medium
])
}
let
(
:low_vuln
)
{
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'888'
,
confidence:
Vulnerabilities
::
Occurrence
::
CONFIDENCE_LEVELS
[
:low
])
}
let
(
:comparer
)
{
described_class
.
new
([
base_vulnerability
],
[
head_vulnerability
])
}
it
'points to source tree'
do
it
'points to source tree'
do
comparer
=
described_class
.
new
([
base_vulnerability
],
[
head_vulnerability
])
expect
(
subject
.
existing
).
to
eq
([
head_vulnerability
])
expect
(
comparer
.
existing
).
to
eq
([
head_vulnerability
])
end
end
context
"when comparing reports with different fingerprints"
do
context
'when comparing reports with different fingerprints'
do
let
!
(
:base_vulnerability
)
{
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'A'
)
}
let
(
:base_vulnerability
)
{
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'A'
)
}
let
!
(
:head_vulnerability
)
{
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'B'
)
}
let
(
:head_vulnerability
)
{
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'B'
)
}
it
"does not find any overlap"
do
it
'does not find any overlap'
do
comparer
=
described_class
.
new
([
base_vulnerability
],
[
head_vulnerability
])
expect
(
subject
.
existing
).
to
eq
([])
expect
(
comparer
.
existing
).
to
eq
([])
end
end
end
end
it
'does not change order'
do
context
'new vulnerabilities'
do
comparer
=
described_class
.
new
([
base_vulnerability
,
vuln
],
[
head_vulnerability
,
vuln
,
low_vuln
])
let
(
:vuln
)
{
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'888'
,
confidence:
Vulnerabilities
::
Occurrence
::
CONFIDENCE_LEVELS
[
:medium
])
}
let
(
:low_vuln
)
{
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'888'
,
confidence:
Vulnerabilities
::
Occurrence
::
CONFIDENCE_LEVELS
[
:low
])
}
let
(
:base_report
)
{
build
(
:ci_reports_security_aggregated_reports
,
occurrences:
[
base_vulnerability
,
vuln
])}
let
(
:head_report
)
{
build
(
:ci_reports_security_aggregated_reports
,
occurrences:
[
head_vulnerability
,
vuln
,
low_vuln
])}
expect
(
comparer
.
existing
).
to
eq
([
head_vulnerability
,
vuln
])
it
'does not change order'
do
expect
(
subject
.
existing
).
to
eq
([
head_vulnerability
,
vuln
])
end
end
end
end
end
end
end
...
@@ -47,28 +79,28 @@ describe Gitlab::Ci::Reports::Security::VulnerabilityReportsComparer do
...
@@ -47,28 +79,28 @@ describe Gitlab::Ci::Reports::Security::VulnerabilityReportsComparer do
let
(
:low_vuln
)
{
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'888'
,
confidence:
Vulnerabilities
::
Occurrence
::
CONFIDENCE_LEVELS
[
:high
],
severity:
Vulnerabilities
::
Occurrence
::
SEVERITY_LEVELS
[
:low
])
}
let
(
:low_vuln
)
{
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'888'
,
confidence:
Vulnerabilities
::
Occurrence
::
CONFIDENCE_LEVELS
[
:high
],
severity:
Vulnerabilities
::
Occurrence
::
SEVERITY_LEVELS
[
:low
])
}
context
'with new vulnerability'
do
context
'with new vulnerability'
do
let
(
:
comparer
)
{
described_class
.
new
([
base_vulnerability
],
[
vuln
,
low
,
head_vulnerability
])
}
let
(
:
head_report
)
{
build
(
:ci_reports_security_aggregated_reports
,
occurrences:
[
head_vulnerability
,
vuln
])
}
it
'points to source tree'
do
it
'points to source tree'
do
comparer
=
described_class
.
new
([
base_vulnerability
],
[
head_vulnerability
,
vuln
])
expect
(
subject
.
added
).
to
eq
([
vuln
])
end
expect
(
comparer
.
added
).
to
eq
([
vuln
])
end
end
context
"when comparing reports with different fingerprints"
do
context
'when comparing reports with different fingerprints'
do
let!
(
:base_vulnerability
)
{
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'A'
)
}
let
(
:base_vulnerability
)
{
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'A'
)
}
let!
(
:head_vulnerability
)
{
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'B'
)
}
let
(
:head_vulnerability
)
{
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'B'
)
}
let
(
:head_report
)
{
build
(
:ci_reports_security_aggregated_reports
,
occurrences:
[
head_vulnerability
,
vuln
])}
it
"does not find any overlap"
do
it
'does not find any overlap'
do
comparer
=
described_class
.
new
([
base_vulnerability
],
[
head_vulnerability
,
vuln
])
expect
(
subject
.
added
).
to
eq
([
head_vulnerability
,
vuln
])
expect
(
comparer
.
added
).
to
eq
([
head_vulnerability
,
vuln
])
end
end
end
end
it
'does not change
order'
do
context
'
order'
do
comparer
=
described_class
.
new
([
base_vulnerability
],
[
head_vulnerability
,
vuln
,
low_vuln
])
let
(
:head_report
)
{
build
(
:ci_reports_security_aggregated_reports
,
occurrences:
[
head_vulnerability
,
vuln
,
low_vuln
])}
expect
(
comparer
.
added
).
to
eq
([
vuln
,
low_vuln
])
it
'does not change'
do
expect
(
subject
.
added
).
to
eq
([
vuln
,
low_vuln
])
end
end
end
end
end
end
...
@@ -78,34 +110,37 @@ describe Gitlab::Ci::Reports::Security::VulnerabilityReportsComparer do
...
@@ -78,34 +110,37 @@ describe Gitlab::Ci::Reports::Security::VulnerabilityReportsComparer do
let
(
:medium_vuln
)
{
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'888'
,
confidence:
Vulnerabilities
::
Occurrence
::
CONFIDENCE_LEVELS
[
:high
],
severity:
Vulnerabilities
::
Occurrence
::
SEVERITY_LEVELS
[
:medium
])
}
let
(
:medium_vuln
)
{
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'888'
,
confidence:
Vulnerabilities
::
Occurrence
::
CONFIDENCE_LEVELS
[
:high
],
severity:
Vulnerabilities
::
Occurrence
::
SEVERITY_LEVELS
[
:medium
])
}
context
'with fixed vulnerability'
do
context
'with fixed vulnerability'
do
it
'points to base tree'
do
let
(
:base_report
)
{
build
(
:ci_reports_security_aggregated_reports
,
occurrences:
[
base_vulnerability
,
vuln
])}
comparer
=
described_class
.
new
([
base_vulnerability
,
vuln
],
[
head_vulnerability
])
expect
(
comparer
.
fixed
).
to
eq
([
vuln
])
it
'points to base tree'
do
expect
(
subject
.
fixed
).
to
eq
([
vuln
])
end
end
end
context
"when comparing reports with different fingerprints"
do
context
'when comparing reports with different fingerprints'
do
let!
(
:base_vulnerability
)
{
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'A'
)
}
let
(
:base_vulnerability
)
{
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'A'
)
}
let!
(
:head_vulnerability
)
{
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'B'
)
}
let
(
:head_vulnerability
)
{
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'B'
)
}
let
(
:base_report
)
{
build
(
:ci_reports_security_aggregated_reports
,
occurrences:
[
base_vulnerability
,
vuln
])}
it
"does not find any overlap"
do
comparer
=
described_class
.
new
([
base_vulnerability
,
vuln
],
[
head_vulnerability
])
expect
(
comparer
.
fixed
).
to
eq
([
base_vulnerability
,
vuln
])
it
'does not find any overlap'
do
expect
(
subject
.
fixed
).
to
eq
([
base_vulnerability
,
vuln
])
end
end
end
end
it
'does not change
order'
do
context
'
order'
do
comparer
=
described_class
.
new
([
vuln
,
medium_vuln
,
base_vulnerability
],
[
head_vulnerability
])
let
(
:base_report
)
{
build
(
:ci_reports_security_aggregated_reports
,
occurrences:
[
vuln
,
medium_vuln
,
base_vulnerability
])}
expect
(
comparer
.
fixed
).
to
eq
([
vuln
,
medium_vuln
])
it
'does not change'
do
expect
(
subject
.
fixed
).
to
eq
([
vuln
,
medium_vuln
])
end
end
end
end
end
end
describe
'with empty vulnerabilities'
do
describe
'with empty vulnerabilities'
do
let
(
:empty_report
)
{
build
(
:ci_reports_security_aggregated_reports
,
reports:
[],
occurrences:
[])}
it
'returns empty array when reports are not present'
do
it
'returns empty array when reports are not present'
do
comparer
=
described_class
.
new
(
nil
,
nil
)
comparer
=
described_class
.
new
(
empty_report
,
empty_report
)
expect
(
comparer
.
existing
).
to
eq
([])
expect
(
comparer
.
existing
).
to
eq
([])
expect
(
comparer
.
fixed
).
to
eq
([])
expect
(
comparer
.
fixed
).
to
eq
([])
...
@@ -113,20 +148,18 @@ describe Gitlab::Ci::Reports::Security::VulnerabilityReportsComparer do
...
@@ -113,20 +148,18 @@ describe Gitlab::Ci::Reports::Security::VulnerabilityReportsComparer do
end
end
it
'returns added vulnerability when base is empty and head is not empty'
do
it
'returns added vulnerability when base is empty and head is not empty'
do
vuln
=
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'888'
)
comparer
=
described_class
.
new
(
empty_report
,
head_report
)
comparer
=
described_class
.
new
(
nil
,
[
vuln
])
expect
(
comparer
.
existing
).
to
eq
([])
expect
(
comparer
.
existing
).
to
eq
([])
expect
(
comparer
.
fixed
).
to
eq
([])
expect
(
comparer
.
fixed
).
to
eq
([])
expect
(
comparer
.
added
).
to
eq
([
vuln
])
expect
(
comparer
.
added
).
to
eq
([
head_vulnerability
])
end
end
it
'returns fixed vulnerability when head is empty and base is not empty'
do
it
'returns fixed vulnerability when head is empty and base is not empty'
do
vuln
=
build
(
:vulnerabilities_occurrence
,
report_type: :sast
,
identifiers:
[
identifier
],
location_fingerprint:
'888'
)
comparer
=
described_class
.
new
(
base_report
,
empty_report
)
comparer
=
described_class
.
new
([
vuln
],
nil
)
expect
(
comparer
.
existing
).
to
eq
([])
expect
(
comparer
.
existing
).
to
eq
([])
expect
(
comparer
.
fixed
).
to
eq
([
vuln
])
expect
(
comparer
.
fixed
).
to
eq
([
base_vulnerability
])
expect
(
comparer
.
added
).
to
eq
([])
expect
(
comparer
.
added
).
to
eq
([])
end
end
end
end
...
...
ee/spec/models/ci/build_spec.rb
View file @
5fe4b7d0
...
@@ -14,6 +14,7 @@ describe Ci::Build do
...
@@ -14,6 +14,7 @@ describe Ci::Build do
end
end
let
(
:job
)
{
create
(
:ci_build
,
pipeline:
pipeline
)
}
let
(
:job
)
{
create
(
:ci_build
,
pipeline:
pipeline
)
}
let
(
:artifact
)
{
create
(
:ee_ci_job_artifact
,
:sast
,
job:
job
,
project:
job
.
project
)
}
describe
'#shared_runners_minutes_limit_enabled?'
do
describe
'#shared_runners_minutes_limit_enabled?'
do
subject
{
job
.
shared_runners_minutes_limit_enabled?
}
subject
{
job
.
shared_runners_minutes_limit_enabled?
}
...
@@ -112,58 +113,59 @@ describe Ci::Build do
...
@@ -112,58 +113,59 @@ describe Ci::Build do
context
'when build has a security report'
do
context
'when build has a security report'
do
context
'when there is a sast report'
do
context
'when there is a sast report'
do
before
do
let!
(
:artifact
)
{
create
(
:ee_ci_job_artifact
,
:sast
,
job:
job
,
project:
job
.
project
)
}
create
(
:ee_ci_job_artifact
,
:sast
,
job:
job
,
project:
job
.
project
)
end
it
'parses blobs and add the results to the report'
do
it
'parses blobs and add the results to the report'
do
subject
subject
expect
(
security_reports
.
get_report
(
'sast'
).
occurrences
.
size
).
to
eq
(
33
)
expect
(
security_reports
.
get_report
(
'sast'
,
artifact
).
occurrences
.
size
).
to
eq
(
33
)
end
it
'adds the created date to the report'
do
subject
expect
(
security_reports
.
get_report
(
'sast'
,
artifact
).
created_at
.
to_s
).
to
eq
(
artifact
.
created_at
.
to_s
)
end
end
end
end
context
'when there are multiple reports'
do
context
'when there are multiple reports'
do
before
do
let!
(
:sast_artifact
)
{
create
(
:ee_ci_job_artifact
,
:sast
,
job:
job
,
project:
job
.
project
)
}
create
(
:ee_ci_job_artifact
,
:sast
,
job:
job
,
project:
job
.
project
)
let!
(
:ds_artifact
)
{
create
(
:ee_ci_job_artifact
,
:dependency_scanning
,
job:
job
,
project:
job
.
project
)
}
create
(
:ee_ci_job_artifact
,
:dependency_scanning
,
job:
job
,
project:
job
.
project
)
let!
(
:cs_artifact
)
{
create
(
:ee_ci_job_artifact
,
:container_scanning
,
job:
job
,
project:
job
.
project
)
}
create
(
:ee_ci_job_artifact
,
:container_scanning
,
job:
job
,
project:
job
.
project
)
let!
(
:dast_artifact
)
{
create
(
:ee_ci_job_artifact
,
:dast
,
job:
job
,
project:
job
.
project
)
}
create
(
:ee_ci_job_artifact
,
:dast
,
job:
job
,
project:
job
.
project
)
end
it
'parses blobs and adds the results to the reports'
do
it
'parses blobs and adds the results to the reports'
do
subject
subject
expect
(
security_reports
.
get_report
(
'sast'
).
occurrences
.
size
).
to
eq
(
33
)
expect
(
security_reports
.
get_report
(
'sast'
,
sast_artifact
).
occurrences
.
size
).
to
eq
(
33
)
expect
(
security_reports
.
get_report
(
'dependency_scanning'
).
occurrences
.
size
).
to
eq
(
4
)
expect
(
security_reports
.
get_report
(
'dependency_scanning'
,
ds_artifact
).
occurrences
.
size
).
to
eq
(
4
)
expect
(
security_reports
.
get_report
(
'container_scanning'
).
occurrences
.
size
).
to
eq
(
8
)
expect
(
security_reports
.
get_report
(
'container_scanning'
,
cs_artifact
).
occurrences
.
size
).
to
eq
(
8
)
expect
(
security_reports
.
get_report
(
'dast'
).
occurrences
.
size
).
to
eq
(
20
)
expect
(
security_reports
.
get_report
(
'dast'
,
dast_artifact
).
occurrences
.
size
).
to
eq
(
20
)
end
end
end
end
context
'when there is a corrupted sast report'
do
context
'when there is a corrupted sast report'
do
before
do
let!
(
:artifact
)
{
create
(
:ee_ci_job_artifact
,
:sast_with_corrupted_data
,
job:
job
,
project:
job
.
project
)
}
create
(
:ee_ci_job_artifact
,
:sast_with_corrupted_data
,
job:
job
,
project:
job
.
project
)
end
it
'stores an error'
do
it
'stores an error'
do
subject
subject
expect
(
security_reports
.
get_report
(
'sast'
)).
to
be_errored
expect
(
security_reports
.
get_report
(
'sast'
,
artifact
)).
to
be_errored
end
end
end
end
end
end
context
'when there is unsupported file type'
do
context
'when there is unsupported file type'
do
let!
(
:artifact
)
{
create
(
:ee_ci_job_artifact
,
:codequality
,
job:
job
,
project:
job
.
project
)
}
before
do
before
do
stub_const
(
"Ci::JobArtifact::SECURITY_REPORT_FILE_TYPES"
,
%w[codequality]
)
stub_const
(
"Ci::JobArtifact::SECURITY_REPORT_FILE_TYPES"
,
%w[codequality]
)
create
(
:ee_ci_job_artifact
,
:codequality
,
job:
job
,
project:
job
.
project
)
end
end
it
'stores an error'
do
it
'stores an error'
do
subject
subject
expect
(
security_reports
.
get_report
(
'codequality'
)).
to
be_errored
expect
(
security_reports
.
get_report
(
'codequality'
,
artifact
)).
to
be_errored
end
end
end
end
end
end
...
...
ee/spec/models/ci/pipeline_spec.rb
View file @
5fe4b7d0
...
@@ -159,14 +159,14 @@ describe Ci::Pipeline do
...
@@ -159,14 +159,14 @@ describe Ci::Pipeline do
let
(
:build_ds_2
)
{
create
(
:ci_build
,
:success
,
name:
'ds_2'
,
pipeline:
pipeline
,
project:
project
)
}
let
(
:build_ds_2
)
{
create
(
:ci_build
,
:success
,
name:
'ds_2'
,
pipeline:
pipeline
,
project:
project
)
}
let
(
:build_cs_1
)
{
create
(
:ci_build
,
:success
,
name:
'cs_1'
,
pipeline:
pipeline
,
project:
project
)
}
let
(
:build_cs_1
)
{
create
(
:ci_build
,
:success
,
name:
'cs_1'
,
pipeline:
pipeline
,
project:
project
)
}
let
(
:build_cs_2
)
{
create
(
:ci_build
,
:success
,
name:
'cs_2'
,
pipeline:
pipeline
,
project:
project
)
}
let
(
:build_cs_2
)
{
create
(
:ci_build
,
:success
,
name:
'cs_2'
,
pipeline:
pipeline
,
project:
project
)
}
let!
(
:sast1_artifact
)
{
create
(
:ee_ci_job_artifact
,
:sast
,
job:
build_sast_1
,
project:
project
)
}
let!
(
:sast2_artifact
)
{
create
(
:ee_ci_job_artifact
,
:sast
,
job:
build_sast_2
,
project:
project
)
}
let!
(
:ds1_artifact
)
{
create
(
:ee_ci_job_artifact
,
:dependency_scanning
,
job:
build_ds_1
,
project:
project
)
}
let!
(
:ds2_artifact
)
{
create
(
:ee_ci_job_artifact
,
:dependency_scanning
,
job:
build_ds_2
,
project:
project
)
}
let!
(
:cs1_artifact
)
{
create
(
:ee_ci_job_artifact
,
:container_scanning
,
job:
build_cs_1
,
project:
project
)
}
let!
(
:cs2_artifact
)
{
create
(
:ee_ci_job_artifact
,
:container_scanning
,
job:
build_cs_2
,
project:
project
)
}
before
do
before
do
create
(
:ee_ci_job_artifact
,
:sast
,
job:
build_sast_1
,
project:
project
)
create
(
:ee_ci_job_artifact
,
:sast
,
job:
build_sast_2
,
project:
project
)
create
(
:ee_ci_job_artifact
,
:dependency_scanning
,
job:
build_ds_1
,
project:
project
)
create
(
:ee_ci_job_artifact
,
:dependency_scanning
,
job:
build_ds_2
,
project:
project
)
create
(
:ee_ci_job_artifact
,
:container_scanning
,
job:
build_cs_1
,
project:
project
)
create
(
:ee_ci_job_artifact
,
:container_scanning
,
job:
build_cs_2
,
project:
project
)
end
end
it
'assigns pipeline commit_sha to the reports'
do
it
'assigns pipeline commit_sha to the reports'
do
...
@@ -178,18 +178,18 @@ describe Ci::Pipeline do
...
@@ -178,18 +178,18 @@ describe Ci::Pipeline do
expect
(
subject
.
reports
.
keys
).
to
contain_exactly
(
'sast'
,
'dependency_scanning'
,
'container_scanning'
)
expect
(
subject
.
reports
.
keys
).
to
contain_exactly
(
'sast'
,
'dependency_scanning'
,
'container_scanning'
)
# for each of report categories, we have merged 2 reports with the same data (fixture)
# for each of report categories, we have merged 2 reports with the same data (fixture)
expect
(
subject
.
get_report
(
'sast'
).
occurrences
.
size
).
to
eq
(
33
)
expect
(
subject
.
get_report
(
'sast'
,
sast1_artifact
).
occurrences
.
size
).
to
eq
(
33
)
expect
(
subject
.
get_report
(
'dependency_scanning'
).
occurrences
.
size
).
to
eq
(
4
)
expect
(
subject
.
get_report
(
'dependency_scanning'
,
ds1_artifact
).
occurrences
.
size
).
to
eq
(
4
)
expect
(
subject
.
get_report
(
'container_scanning'
).
occurrences
.
size
).
to
eq
(
8
)
expect
(
subject
.
get_report
(
'container_scanning'
,
cs1_artifact
).
occurrences
.
size
).
to
eq
(
8
)
end
end
context
'when builds are retried'
do
context
'when builds are retried'
do
let
(
:build_sast_1
)
{
create
(
:ci_build
,
:retried
,
name:
'sast_1'
,
pipeline:
pipeline
,
project:
project
)
}
let
(
:build_sast_1
)
{
create
(
:ci_build
,
:retried
,
name:
'sast_1'
,
pipeline:
pipeline
,
project:
project
)
}
it
'does not take retried builds into account'
do
it
'does not take retried builds into account'
do
expect
(
subject
.
get_report
(
'sast'
).
occurrences
.
size
).
to
eq
(
33
)
expect
(
subject
.
get_report
(
'sast'
,
sast1_artifact
).
occurrences
.
size
).
to
eq
(
33
)
expect
(
subject
.
get_report
(
'dependency_scanning'
).
occurrences
.
size
).
to
eq
(
4
)
expect
(
subject
.
get_report
(
'dependency_scanning'
,
ds1_artifact
).
occurrences
.
size
).
to
eq
(
4
)
expect
(
subject
.
get_report
(
'container_scanning'
).
occurrences
.
size
).
to
eq
(
8
)
expect
(
subject
.
get_report
(
'container_scanning'
,
cs1_artifact
).
occurrences
.
size
).
to
eq
(
8
)
end
end
end
end
end
end
...
...
ee/spec/serializers/vulnerabilities/occurrence_reports_comparer_entity_spec.rb
View file @
5fe4b7d0
...
@@ -6,8 +6,13 @@ describe Vulnerabilities::OccurrenceReportsComparerEntity do
...
@@ -6,8 +6,13 @@ describe Vulnerabilities::OccurrenceReportsComparerEntity do
describe
'container scanning report comparison'
do
describe
'container scanning report comparison'
do
set
(
:user
)
{
create
(
:user
)
}
set
(
:user
)
{
create
(
:user
)
}
let
(
:base_report
)
{
create_list
(
:vulnerabilities_occurrence
,
2
)
}
let
(
:base_occurrences
)
{
create_list
(
:vulnerabilities_occurrence
,
2
)
}
let
(
:head_report
)
{
create_list
(
:vulnerabilities_occurrence
,
1
)
}
let
(
:base_combined_reports
)
{
build_list
(
:ci_reports_security_report
,
1
,
created_at:
nil
)
}
let
(
:base_report
)
{
build
(
:ci_reports_security_aggregated_reports
,
reports:
base_combined_reports
,
occurrences:
base_occurrences
)}
let
(
:head_occurrences
)
{
create_list
(
:vulnerabilities_occurrence
,
1
)
}
let
(
:head_combined_reports
)
{
build_list
(
:ci_reports_security_report
,
1
,
created_at:
2
.
days
.
ago
)
}
let
(
:head_report
)
{
build
(
:ci_reports_security_aggregated_reports
,
reports:
head_combined_reports
,
occurrences:
head_occurrences
)}
let
(
:comparer
)
{
Gitlab
::
Ci
::
Reports
::
Security
::
VulnerabilityReportsComparer
.
new
(
base_report
,
head_report
)
}
let
(
:comparer
)
{
Gitlab
::
Ci
::
Reports
::
Security
::
VulnerabilityReportsComparer
.
new
(
base_report
,
head_report
)
}
...
@@ -27,7 +32,15 @@ describe Vulnerabilities::OccurrenceReportsComparerEntity do
...
@@ -27,7 +32,15 @@ describe Vulnerabilities::OccurrenceReportsComparerEntity do
end
end
it
'contains the added existing and fixed vulnerabilities for container scanning'
do
it
'contains the added existing and fixed vulnerabilities for container scanning'
do
expect
(
subject
.
keys
).
to
match_array
([
:added
,
:existing
,
:fixed
])
expect
(
subject
.
keys
).
to
include
(
:added
)
expect
(
subject
.
keys
).
to
include
(
:existing
)
expect
(
subject
.
keys
).
to
include
(
:fixed
)
end
it
'contains the report out of date fields'
do
expect
(
subject
.
keys
).
to
include
(
:base_report_created_at
)
expect
(
subject
.
keys
).
to
include
(
:base_report_out_of_date
)
expect
(
subject
.
keys
).
to
include
(
:head_report_created_at
)
end
end
end
end
end
end
...
...
ee/spec/services/security/store_report_service_spec.rb
View file @
5fe4b7d0
...
@@ -6,7 +6,7 @@ describe Security::StoreReportService, '#execute' do
...
@@ -6,7 +6,7 @@ describe Security::StoreReportService, '#execute' do
let
(
:artifact
)
{
create
(
:ee_ci_job_artifact
,
report_type
)
}
let
(
:artifact
)
{
create
(
:ee_ci_job_artifact
,
report_type
)
}
let
(
:project
)
{
artifact
.
project
}
let
(
:project
)
{
artifact
.
project
}
let
(
:pipeline
)
{
artifact
.
job
.
pipeline
}
let
(
:pipeline
)
{
artifact
.
job
.
pipeline
}
let
(
:report
)
{
pipeline
.
security_reports
.
get_report
(
report_type
.
to_s
)
}
let
(
:report
)
{
pipeline
.
security_reports
.
get_report
(
report_type
.
to_s
,
artifact
)
}
before
do
before
do
stub_licensed_features
(
sast:
true
,
dependency_scanning:
true
,
container_scanning:
true
)
stub_licensed_features
(
sast:
true
,
dependency_scanning:
true
,
container_scanning:
true
)
...
@@ -52,7 +52,7 @@ describe Security::StoreReportService, '#execute' do
...
@@ -52,7 +52,7 @@ describe Security::StoreReportService, '#execute' do
let!
(
:new_artifact
)
{
create
(
:ee_ci_job_artifact
,
:sast
,
job:
new_build
)
}
let!
(
:new_artifact
)
{
create
(
:ee_ci_job_artifact
,
:sast
,
job:
new_build
)
}
let
(
:new_build
)
{
create
(
:ci_build
,
pipeline:
new_pipeline
)
}
let
(
:new_build
)
{
create
(
:ci_build
,
pipeline:
new_pipeline
)
}
let
(
:new_pipeline
)
{
create
(
:ci_pipeline
,
project:
project
)
}
let
(
:new_pipeline
)
{
create
(
:ci_pipeline
,
project:
project
)
}
let
(
:new_report
)
{
new_pipeline
.
security_reports
.
get_report
(
report_type
.
to_s
)
}
let
(
:new_report
)
{
new_pipeline
.
security_reports
.
get_report
(
report_type
.
to_s
,
artifact
)
}
let
(
:report_type
)
{
:sast
}
let
(
:report_type
)
{
:sast
}
let!
(
:occurrence
)
do
let!
(
:occurrence
)
do
...
...
ee/spec/services/security/store_reports_service_spec.rb
View file @
5fe4b7d0
...
@@ -32,10 +32,12 @@ describe Security::StoreReportsService do
...
@@ -32,10 +32,12 @@ describe Security::StoreReportsService do
context
'when StoreReportService returns an error for a report'
do
context
'when StoreReportService returns an error for a report'
do
let
(
:reports
)
{
Gitlab
::
Ci
::
Reports
::
Security
::
Reports
.
new
(
pipeline
.
sha
)
}
let
(
:reports
)
{
Gitlab
::
Ci
::
Reports
::
Security
::
Reports
.
new
(
pipeline
.
sha
)
}
let
(
:sast_report
)
{
reports
.
get_report
(
'sast'
)
}
let
(
:sast_report
)
{
reports
.
get_report
(
'sast'
,
sast_artifact
)
}
let
(
:dast_report
)
{
reports
.
get_report
(
'dast'
)
}
let
(
:dast_report
)
{
reports
.
get_report
(
'dast'
,
dast_artifact
)
}
let
(
:success
)
{
{
status: :success
}
}
let
(
:success
)
{
{
status: :success
}
}
let
(
:error
)
{
{
status: :error
,
message:
"something went wrong"
}
}
let
(
:error
)
{
{
status: :error
,
message:
"something went wrong"
}
}
let
(
:sast_artifact
)
{
create
(
:ee_ci_job_artifact
,
:sast
)
}
let
(
:dast_artifact
)
{
create
(
:ee_ci_job_artifact
,
:dast
)
}
before
do
before
do
allow
(
pipeline
).
to
receive
(
:security_reports
).
and_return
(
reports
)
allow
(
pipeline
).
to
receive
(
:security_reports
).
and_return
(
reports
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment