Merge branch 'ca-testcase-2259-false-positive-sast' into 'master'

added new testcase to assert false positives in the vulnerability report See merge request gitlab-org/gitlab!74989

Merge branch 'ca-testcase-2259-false-positive-sast' into 'master'
added new testcase to assert false positives in the vulnerability report See merge request gitlab-org/gitlab!74989
695feb14 · Anastasia McDonald · 0df95d7e · 7fcd8796 · 695feb14 · 695feb14
Commit 695feb14 authored Jan 25, 2022 by Anastasia McDonald
10 changed files
--- a/ee/app/assets/javascripts/security_dashboard/components/shared/vulnerability_list.vue
+++ b/ee/app/assets/javascripts/security_dashboard/components/shared/vulnerability_list.vue
@@ -428,7 +428,11 @@ export default {
            :issues="badgeIssues(item)"
            :is-jira="hasJiraVulnerabilitiesIntegrationEnabled"
          />
-          <false-positive-badge v-if="item.falsePositive" class="gl-ml-3" />
+          <false-positive-badge
+            v-if="item.falsePositive"
+            data-qa-selector="false_positive_vulnerability"
+            class="gl-ml-3"
+          />
          <remediated-badge v-if="item.resolvedOnDefaultBranch" class="gl-ml-3" />
        </div>
      </template>

--- a/ee/app/assets/javascripts/security_dashboard/components/shared/vulnerability_report/vulnerability_list.vue
+++ b/ee/app/assets/javascripts/security_dashboard/components/shared/vulnerability_report/vulnerability_list.vue
@@ -380,7 +380,11 @@ export default {
            :issues="badgeIssues(item)"
            :is-jira="hasJiraVulnerabilitiesIntegrationEnabled"
          />
-          <false-positive-badge v-if="item.falsePositive" class="gl-ml-3" />
+          <false-positive-badge
+            v-if="item.falsePositive"
+            data-qa-selector="false_positive_vulnerability"
+            class="gl-ml-3"
+          />
          <remediated-badge v-if="item.resolvedOnDefaultBranch" class="gl-ml-3" />
        </div>
      </template>

--- a/ee/app/assets/javascripts/vulnerabilities/components/false_positive_alert.vue
+++ b/ee/app/assets/javascripts/vulnerabilities/components/false_positive_alert.vue
@@ -29,6 +29,7 @@ export default {
    :title="$options.i18n.title"
    :dismissible="false"
    variant="warning"
+    data-qa-selector="false_positive_alert"
  >
    <gl-sprintf :message="$options.i18n.message">
      <template #link="{ content }">

--- a/ee/spec/frontend/vulnerabilities/__snapshots__/false_positive_alert_spec.js.snap
+++ b/ee/spec/frontend/vulnerabilities/__snapshots__/false_positive_alert_spec.js.snap
@@ -2,6 +2,7 @@
 exports[`False positive alert component should render the alert message 1`] = `
 <gl-alert-stub
+  data-qa-selector="false_positive_alert"
  dismisslabel="Dismiss"
  primarybuttonlink=""
  primarybuttontext=""

--- a/qa/qa/ee/fixtures/secure_premade_reports/gl-sast-report.json
+++ b/qa/qa/ee/fixtures/secure_premade_reports/gl-sast-report.json
@@ -116,6 +116,40 @@
      "line": 15,
      "tool": "bandit"
    },
+    {
+      "category": "sast",
+      "name": "Possible unprotected redirect",
+      "message": "Possible unprotected redirect",
+      "description": "Possible unprotected redirect near line 46",
+      "cve": "373414e0effe673bb93d1d8994f3e511ff089ce79337a16577e087556e9ae3cd",
+      "severity": "Low",
+      "confidence": "Low",
+      "scanner": {
+        "id": "brakeman",
+        "name": "Brakeman"
+      },
+      "location": {
+        "file": "app/controllers/groups_controller.rb",
+        "start_line": 6,
+        "class": "GroupsController",
+        "method": "new_group"
+      },
+      "flags": [
+        {
+          "type": "",
+          "origin": "",
+          "description": ""
+        }
+      ],
+      "identifiers": [
+        {
+          "type": "brakeman_warning_code",
+          "name": "Brakeman Warning Code 18",
+          "value": "18",
+          "url": "https://brakemanscanner.org/docs/warning_types/redirect/"
+        }
+      ]
+    },
    {
      "category": "sast",
      "name": "Cipher with no integrity",

--- a/qa/qa/ee/page/project/secure/security_dashboard.rb
+++ b/qa/qa/ee/page/project/secure/security_dashboard.rb
@@ -10,10 +10,18 @@ module QA
              element :vulnerability
            end
+            view 'ee/app/assets/javascripts/security_dashboard/components/shared/vulnerability_list.vue' do
+              element :false_positive_vulnerability
+            end
            def has_vulnerability?(description:)
              has_element?(:vulnerability, vulnerability_description: description)
            end
+            def has_false_positive_vulnerability?
+              has_element?(:false_positive_vulnerability)
+            end
            def click_vulnerability(description:)
              return false unless has_vulnerability?(description: description)

--- a/qa/qa/ee/page/project/secure/show.rb
+++ b/qa/qa/ee/page/project/secure/show.rb
@@ -11,6 +11,14 @@ module QA
            view 'ee/app/assets/javascripts/security_dashboard/components/pipeline/security_dashboard_table.vue' do
              element :security_report_content, required: true
            end
+            view 'ee/app/assets/javascripts/security_dashboard/components/shared/vulnerability_list.vue' do
+              element :false_positive_vulnerability
+            end
+            def has_false_positive_vulnerability?
+              has_element?(:false_positive_vulnerability)
+            end
          end
        end
      end

--- a/qa/qa/ee/page/project/secure/vulnerability_details.rb
+++ b/qa/qa/ee/page/project/secure/vulnerability_details.rb
@@ -24,6 +24,10 @@ module QA
              element :create_issue_button
            end
+            view 'ee/app/assets/javascripts/vulnerabilities/components/false_positive_alert.vue' do
+              element :false_positive_alert
+            end
            def has_component?(component_name:)
              has_element?(component_name.to_sym)
            end

--- a/qa/qa/specs/features/ee/browser_ui/13_secure/create_merge_request_with_secure_spec.rb
+++ b/qa/qa/specs/features/ee/browser_ui/13_secure/create_merge_request_with_secure_spec.rb
@@ -3,7 +3,7 @@
 module QA
  RSpec.describe 'Secure', :runner do
    describe 'Security Reports in a Merge Request' do
-      let(:sast_vuln_count) { 5 }
+      let(:sast_vuln_count) { 6 }
      let(:dependency_scan_vuln_count) { 4 }
      let(:container_scan_vuln_count) { 8 }
      let(:vuln_name) { "Regular Expression Denial of Service in debug" }

--- a/qa/qa/specs/features/ee/browser_ui/13_secure/security_reports_spec.rb
+++ b/qa/qa/specs/features/ee/browser_ui/13_secure/security_reports_spec.rb
@@ -7,6 +7,8 @@ module QA
    let(:container_scan_example_vuln) { 'CVE-2017-18269 in glibc' }
    let(:sast_scan_example_vuln) { 'Cipher with no integrity' }
    let(:dast_scan_example_vuln) { 'Cookie Without SameSite Attribute' }
+    let(:sast_scan_fp_example_vuln) { "Possible unprotected redirect" }
+    let(:sast_scan_fp_example_vuln_desc) { "Possible unprotected redirect near line 46" }
    describe 'Security Reports' do
      before(:context) do
@@ -76,6 +78,7 @@ module QA
            filter_report_and_perform(pipeline, "SAST") do
              expect(pipeline).to have_vulnerability_info_content sast_scan_example_vuln
+              expect(pipeline).to have_vulnerability_info_content sast_scan_fp_example_vuln
            end
            filter_report_and_perform(pipeline, "DAST") do
@@ -99,6 +102,8 @@ module QA
            filter_report_and_perform(dashboard, "SAST") do
              expect(dashboard).to have_vulnerability sast_scan_example_vuln
+              expect(dashboard).to have_vulnerability sast_scan_fp_example_vuln
+              expect(dashboard).to have_false_positive_vulnerability
            end
            filter_report_and_perform(dashboard, "DAST") do
@@ -141,6 +146,32 @@ module QA
          end
        end
+        it 'displays false positives for the vulnerabilities', testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/350412' do
+          Page::Project::Menu.perform(&:click_project)
+          Page::Project::Menu.perform(&:click_on_vulnerability_report)
+          EE::Page::Project::Secure::Show.perform do |security_dashboard|
+            filter_report_and_perform(security_dashboard, "SAST") do
+              expect(security_dashboard).to have_vulnerability sast_scan_fp_example_vuln
+            end
+          end
+          EE::Page::Project::Secure::SecurityDashboard.perform do |security_dashboard|
+            security_dashboard.click_vulnerability(description: sast_scan_fp_example_vuln)
+          end
+          EE::Page::Project::Secure::VulnerabilityDetails.perform do |vulnerability_details|
+            aggregate_failures "testing False positive vulnerability details" do
+              expect(vulnerability_details).to have_component(component_name: :vulnerability_header)
+              expect(vulnerability_details).to have_component(component_name: :vulnerability_details)
+              expect(vulnerability_details).to have_vulnerability_title(title: sast_scan_fp_example_vuln)
+              expect(vulnerability_details).to have_vulnerability_description(description: sast_scan_fp_example_vuln_desc)
+              expect(vulnerability_details).to have_component(component_name: :vulnerability_footer)
+              expect(vulnerability_details).to have_component(component_name: :false_positive_alert)
+            end
+          end
+        end
        it 'displays the Dependency List', testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/348035' do
          Page::Project::Menu.perform(&:click_on_dependency_list)