Commit 695feb14 authored by Anastasia McDonald's avatar Anastasia McDonald

Merge branch 'ca-testcase-2259-false-positive-sast' into 'master'

added new testcase to assert false positives in the vulnerability report

See merge request gitlab-org/gitlab!74989
parents 0df95d7e 7fcd8796
......@@ -428,7 +428,11 @@ export default {
:issues="badgeIssues(item)"
:is-jira="hasJiraVulnerabilitiesIntegrationEnabled"
/>
<false-positive-badge v-if="item.falsePositive" class="gl-ml-3" />
<false-positive-badge
v-if="item.falsePositive"
data-qa-selector="false_positive_vulnerability"
class="gl-ml-3"
/>
<remediated-badge v-if="item.resolvedOnDefaultBranch" class="gl-ml-3" />
</div>
</template>
......
......@@ -380,7 +380,11 @@ export default {
:issues="badgeIssues(item)"
:is-jira="hasJiraVulnerabilitiesIntegrationEnabled"
/>
<false-positive-badge v-if="item.falsePositive" class="gl-ml-3" />
<false-positive-badge
v-if="item.falsePositive"
data-qa-selector="false_positive_vulnerability"
class="gl-ml-3"
/>
<remediated-badge v-if="item.resolvedOnDefaultBranch" class="gl-ml-3" />
</div>
</template>
......
......@@ -29,6 +29,7 @@ export default {
:title="$options.i18n.title"
:dismissible="false"
variant="warning"
data-qa-selector="false_positive_alert"
>
<gl-sprintf :message="$options.i18n.message">
<template #link="{ content }">
......
......@@ -2,6 +2,7 @@
exports[`False positive alert component should render the alert message 1`] = `
<gl-alert-stub
data-qa-selector="false_positive_alert"
dismisslabel="Dismiss"
primarybuttonlink=""
primarybuttontext=""
......
......@@ -116,6 +116,40 @@
"line": 15,
"tool": "bandit"
},
{
"category": "sast",
"name": "Possible unprotected redirect",
"message": "Possible unprotected redirect",
"description": "Possible unprotected redirect near line 46",
"cve": "373414e0effe673bb93d1d8994f3e511ff089ce79337a16577e087556e9ae3cd",
"severity": "Low",
"confidence": "Low",
"scanner": {
"id": "brakeman",
"name": "Brakeman"
},
"location": {
"file": "app/controllers/groups_controller.rb",
"start_line": 6,
"class": "GroupsController",
"method": "new_group"
},
"flags": [
{
"type": "",
"origin": "",
"description": ""
}
],
"identifiers": [
{
"type": "brakeman_warning_code",
"name": "Brakeman Warning Code 18",
"value": "18",
"url": "https://brakemanscanner.org/docs/warning_types/redirect/"
}
]
},
{
"category": "sast",
"name": "Cipher with no integrity",
......
......@@ -10,10 +10,18 @@ module QA
element :vulnerability
end
view 'ee/app/assets/javascripts/security_dashboard/components/shared/vulnerability_list.vue' do
element :false_positive_vulnerability
end
def has_vulnerability?(description:)
has_element?(:vulnerability, vulnerability_description: description)
end
def has_false_positive_vulnerability?
has_element?(:false_positive_vulnerability)
end
def click_vulnerability(description:)
return false unless has_vulnerability?(description: description)
......
......@@ -11,6 +11,14 @@ module QA
view 'ee/app/assets/javascripts/security_dashboard/components/pipeline/security_dashboard_table.vue' do
element :security_report_content, required: true
end
view 'ee/app/assets/javascripts/security_dashboard/components/shared/vulnerability_list.vue' do
element :false_positive_vulnerability
end
def has_false_positive_vulnerability?
has_element?(:false_positive_vulnerability)
end
end
end
end
......
......@@ -24,6 +24,10 @@ module QA
element :create_issue_button
end
view 'ee/app/assets/javascripts/vulnerabilities/components/false_positive_alert.vue' do
element :false_positive_alert
end
def has_component?(component_name:)
has_element?(component_name.to_sym)
end
......
......@@ -3,7 +3,7 @@
module QA
RSpec.describe 'Secure', :runner do
describe 'Security Reports in a Merge Request' do
let(:sast_vuln_count) { 5 }
let(:sast_vuln_count) { 6 }
let(:dependency_scan_vuln_count) { 4 }
let(:container_scan_vuln_count) { 8 }
let(:vuln_name) { "Regular Expression Denial of Service in debug" }
......
......@@ -7,6 +7,8 @@ module QA
let(:container_scan_example_vuln) { 'CVE-2017-18269 in glibc' }
let(:sast_scan_example_vuln) { 'Cipher with no integrity' }
let(:dast_scan_example_vuln) { 'Cookie Without SameSite Attribute' }
let(:sast_scan_fp_example_vuln) { "Possible unprotected redirect" }
let(:sast_scan_fp_example_vuln_desc) { "Possible unprotected redirect near line 46" }
describe 'Security Reports' do
before(:context) do
......@@ -76,6 +78,7 @@ module QA
filter_report_and_perform(pipeline, "SAST") do
expect(pipeline).to have_vulnerability_info_content sast_scan_example_vuln
expect(pipeline).to have_vulnerability_info_content sast_scan_fp_example_vuln
end
filter_report_and_perform(pipeline, "DAST") do
......@@ -99,6 +102,8 @@ module QA
filter_report_and_perform(dashboard, "SAST") do
expect(dashboard).to have_vulnerability sast_scan_example_vuln
expect(dashboard).to have_vulnerability sast_scan_fp_example_vuln
expect(dashboard).to have_false_positive_vulnerability
end
filter_report_and_perform(dashboard, "DAST") do
......@@ -141,6 +146,32 @@ module QA
end
end
it 'displays false positives for the vulnerabilities', testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/350412' do
Page::Project::Menu.perform(&:click_project)
Page::Project::Menu.perform(&:click_on_vulnerability_report)
EE::Page::Project::Secure::Show.perform do |security_dashboard|
filter_report_and_perform(security_dashboard, "SAST") do
expect(security_dashboard).to have_vulnerability sast_scan_fp_example_vuln
end
end
EE::Page::Project::Secure::SecurityDashboard.perform do |security_dashboard|
security_dashboard.click_vulnerability(description: sast_scan_fp_example_vuln)
end
EE::Page::Project::Secure::VulnerabilityDetails.perform do |vulnerability_details|
aggregate_failures "testing False positive vulnerability details" do
expect(vulnerability_details).to have_component(component_name: :vulnerability_header)
expect(vulnerability_details).to have_component(component_name: :vulnerability_details)
expect(vulnerability_details).to have_vulnerability_title(title: sast_scan_fp_example_vuln)
expect(vulnerability_details).to have_vulnerability_description(description: sast_scan_fp_example_vuln_desc)
expect(vulnerability_details).to have_component(component_name: :vulnerability_footer)
expect(vulnerability_details).to have_component(component_name: :false_positive_alert)
end
end
end
it 'displays the Dependency List', testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/348035' do
Page::Project::Menu.perform(&:click_on_dependency_list)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment