Updates the groupedReportText builder

- Takes into account severities
- a11y compatible
- Updates all the helpers that go along with it
- Updates the documentation
- Updates all the tests that rely on this function.

doc/user/application_security/container_scanning/index.md

@@ -32,7 +32,7 @@ You can enable container scanning by doing one of the following:
 GitLab compares the found vulnerabilities between the source and target branches, and shows the
 information directly in the merge request.
 
-![Container Scanning Widget](img/container_scanning_v13_0.png)
+![Container Scanning Widget](img/container_scanning_v13_1.png)
 
 <!-- NOTE: The container scanning tool references the following heading in the code, so if you
            make a change to this heading, make sure to update the documentation URLs used in the

doc/user/application_security/dast/index.md

@@ -36,7 +36,7 @@ NOTE: **Note:**
 This comparison logic uses only the latest pipeline executed for the target branch's base commit.
 Running the pipeline on any other commit has no effect on the merge request.
 
-![DAST Widget](img/dast_all_v13_0.png)
+![DAST Widget](img/dast_all_v13_1.png)
 
 By clicking on one of the detected linked vulnerabilities, you can
 see the details and the URL(s) affected.

doc/user/application_security/dependency_scanning/index.md

@@ -27,7 +27,7 @@ GitLab checks the Dependency Scanning report, compares the found vulnerabilities
 between the source and target branches, and shows the information on the
 merge request.
 
-![Dependency Scanning Widget](img/dependency_scanning_v13_0.png)
+![Dependency Scanning Widget](img/dependency_scanning_v13_1.png)
 
 The results are sorted by the severity of the vulnerability:
 

doc/user/application_security/sast/index.md

@@ -28,7 +28,7 @@ You can take advantage of SAST by doing one of the following:
 GitLab checks the SAST report, compares the found vulnerabilities between the
 source and target branches, and shows the information right on the merge request.
 
-![SAST Widget](img/sast_v13_0.png)
+![SAST Widget](img/sast_v13_1.png)
 
 The results are sorted by the priority of the vulnerability:
 

ee/app/assets/javascripts/vue_shared/security_reports/store/getters.js

 import { s__, sprintf } from '~/locale';
-import { countIssues, groupedTextBuilder, statusIcon, groupedReportText } from './utils';
+import { countVulnerabilities, groupedTextBuilder, statusIcon, groupedReportText } from './utils';
 import { LOADING, ERROR, SUCCESS } from './constants';
 import messages from './messages';
 
@@ -30,27 +30,27 @@ export const groupedDependencyText = ({ dependencyScanning }) =>
     messages.DEPENDENCY_SCANNING_IS_LOADING,
   );
 
-export const summaryCounts = state =>
-  [
-    state.sast,
-    state.containerScanning,
-    state.dast,
-    state.dependencyScanning,
-    state.secretScanning,
-  ].reduce(
-    (acc, report) => {
-      const curr = countIssues(report);
-      acc.added += curr.added;
-      acc.dismissed += curr.dismissed;
-      acc.fixed += curr.fixed;
-      acc.existing += curr.existing;
-      return acc;
-    },
-    { added: 0, dismissed: 0, fixed: 0, existing: 0 },
-  );
+export const summaryCounts = ({
+  containerScanning,
+  dast,
+  dependencyScanning,
+  sast,
+  secretScanning,
+} = {}) => {
+  const allNewVulns = [
+    ...containerScanning.newIssues,
+    ...dast.newIssues,
+    ...dependencyScanning.newIssues,
+    ...sast.newIssues,
+    ...secretScanning.newIssues,
+  ];
+
+  return countVulnerabilities(allNewVulns);
+};
 
 export const groupedSummaryText = (state, getters) => {
   const reportType = s__('ciReport|Security scanning');
+  let status = '';
 
   // All reports are loading
   if (getters.areAllReportsLoading) {
@@ -62,10 +62,6 @@ export const groupedSummaryText = (state, getters) => {
     return s__('ciReport|Security scanning failed loading any results');
   }
 
-  const { added, fixed, existing, dismissed } = getters.summaryCounts;
-
-  let status = '';
-
   if (getters.areReportsLoading && getters.anyReportHasError) {
     status = s__('ciReport|(is loading, errors when loading results)');
   } else if (getters.areReportsLoading && !getters.anyReportHasError) {
@@ -74,13 +70,9 @@ export const groupedSummaryText = (state, getters) => {
     status = s__('ciReport|(errors when loading results)');
   }
 
-  /*
-   In order to correct wording, we ne to set the base property to true,
-   if at least one report has a base.
-   */
-  const paths = { head: true, base: !getters.noBaseInAllReports };
+  const { critical, high, other } = getters.summaryCounts;
 
-  return groupedTextBuilder({ reportType, paths, added, fixed, existing, dismissed, status });
+  return groupedTextBuilder({ reportType, status, critical, high, other });
 };
 
 export const summaryStatus = (state, getters) => {

ee/app/assets/javascripts/vue_shared/security_reports/store/utils.js

-import { n__, s__, sprintf } from '~/locale';
+import { __, n__, sprintf } from '~/locale';
+import { CRITICAL, HIGH } from 'ee/security_dashboard/store/modules/vulnerabilities/constants';
 
 /**
  * Returns the index of an issue in given list
@@ -42,103 +43,105 @@ export const enrichVulnerabilityWithFeedback = (vulnerability, feedback = []) =>
       return vuln;
     }, vulnerability);
 
+/**
+ * Takes an object of options and returns an externalized string representing
+ * the critical, high, and other severity vulnerabilities for a given report.
+ * @param {{reportType: string, status: string, critical: number, high: number, other: number}} options
+ * @returns {string}
+ */
 export const groupedTextBuilder = ({
   reportType = '',
-  paths = {},
-  added = 0,
-  fixed = 0,
-  existing = 0,
-  dismissed = 0,
   status = '',
-}) => {
-  let baseString = '';
-
-  if (!paths.base && !paths.diffEndpoint) {
-    if (added && !dismissed) {
-      // added
-      baseString = n__(
-        'ciReport|%{reportType} %{status} detected %{newCount} vulnerability for the source branch only',
-        'ciReport|%{reportType} %{status} detected %{newCount} vulnerabilities for the source branch only',
-        added,
-      );
-    } else if (!added && dismissed) {
-      // dismissed
-      baseString = n__(
-        'ciReport|%{reportType} %{status} detected %{dismissedCount} dismissed vulnerability for the source branch only',
-        'ciReport|%{reportType} %{status} detected %{dismissedCount} dismissed vulnerabilities for the source branch only',
-        dismissed,
-      );
-    } else if (added && dismissed) {
-      // added & dismissed
-      baseString = s__(
-        'ciReport|%{reportType} %{status} detected %{newCount} new, and %{dismissedCount} dismissed vulnerabilities for the source branch only',
-      );
-    } else {
-      // no vulnerabilities
-      baseString = s__(
-        'ciReport|%{reportType} %{status} detected no vulnerabilities for the source branch only',
-      );
+  critical = 0,
+  high = 0,
+  other = 0,
+} = {}) => {
+  // This approach uses bitwise (ish) flags to determine which vulnerabilities
+  // we have, without the need for too many nested levels of if/else statements.
+  //
+  // Here's a video explaining how it works
+  // https://youtu.be/qZzKNC7TPbA
+  //
+  // Here's a link to a similar approach on MDN:
+  // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Bitwise_Operators#Examples
+
+  let options = 0;
+  const HAS_CRITICAL = 1;
+  const HAS_HIGH = 2;
+  const HAS_OTHER = 4;
+  let message;
+
+  if (critical) {
+    options += HAS_CRITICAL;
   }
-  } else if (paths.head || paths.diffEndpoint) {
-    if (added && !fixed && !dismissed) {
-      // added
-      baseString = n__(
-        'ciReport|%{reportType} %{status} detected %{newCount} new vulnerability',
-        'ciReport|%{reportType} %{status} detected %{newCount} new vulnerabilities',
-        added,
+  if (high) {
+    options += HAS_HIGH;
+  }
+  if (other) {
+    options += HAS_OTHER;
+  }
+
+  switch (options) {
+    case HAS_CRITICAL:
+      message = n__(
+        '%{reportType} %{status} detected %{critical} critical severity vulnerability.',
+        '%{reportType} %{status} detected %{critical} critical severity vulnerabilities.',
+        critical,
       );
-    } else if (!added && fixed && !dismissed) {
-      // fixed
-      baseString = n__(
-        'ciReport|%{reportType} %{status} detected %{fixedCount} fixed vulnerability',
-        'ciReport|%{reportType} %{status} detected %{fixedCount} fixed vulnerabilities',
-        fixed,
+      break;
+
+    case HAS_HIGH:
+      message = n__(
+        '%{reportType} %{status} detected %{high} high severity vulnerability.',
+        '%{reportType} %{status} detected %{high} high severity vulnerabilities.',
+        high,
       );
-    } else if (!added && !fixed && dismissed) {
-      // dismissed
-      baseString = n__(
-        'ciReport|%{reportType} %{status} detected %{dismissedCount} dismissed vulnerability',
-        'ciReport|%{reportType} %{status} detected %{dismissedCount} dismissed vulnerabilities',
-        dismissed,
+      break;
+
+    case HAS_OTHER:
+      message = n__(
+        '%{reportType} %{status} detected %{other} vulnerability.',
+        '%{reportType} %{status} detected %{other} vulnerabilities.',
+        other,
       );
-    } else if (added && fixed && !dismissed) {
-      // added & fixed
-      baseString = s__(
-        'ciReport|%{reportType} %{status} detected %{newCount} new, and %{fixedCount} fixed vulnerabilities',
+      break;
+
+    case HAS_CRITICAL + HAS_HIGH:
+      message = __(
+        '%{reportType} %{status} detected %{critical} critical and %{high} high severity vulnerabilities.',
       );
-    } else if (added && !fixed && dismissed) {
-      // added & dismissed
-      baseString = s__(
-        'ciReport|%{reportType} %{status} detected %{newCount} new, and %{dismissedCount} dismissed vulnerabilities',
+      break;
+
+    case HAS_CRITICAL + HAS_OTHER:
+      message = __(
+        '%{reportType} %{status} detected %{critical} critical severity vulnerabilities out of %{total}.',
       );
-    } else if (!added && fixed && dismissed) {
-      // fixed & dismissed
-      baseString = s__(
-        'ciReport|%{reportType} %{status} detected %{fixedCount} fixed, and %{dismissedCount} dismissed vulnerabilities',
+      break;
+
+    case HAS_HIGH + HAS_OTHER:
+      message = __(
+        '%{reportType} %{status} detected %{high} high severity vulnerabilities out of %{total}.',
       );
-    } else if (added && fixed && dismissed) {
-      // added & fixed & dismissed
-      baseString = s__(
-        'ciReport|%{reportType} %{status} detected %{newCount} new, %{fixedCount} fixed, and %{dismissedCount} dismissed vulnerabilities',
+      break;
+
+    case HAS_CRITICAL + HAS_HIGH + HAS_OTHER:
+      message = __(
+        '%{reportType} %{status} detected %{critical} critical and %{high} high severity vulnerabilities out of %{total}.',
       );
-    } else if (existing) {
-      baseString = s__('ciReport|%{reportType} %{status} detected no new vulnerabilities');
-    } else {
-      baseString = s__('ciReport|%{reportType} %{status} detected no vulnerabilities');
-    }
-  }
+      break;
 
-  if (!status) {
-    baseString = baseString.replace('%{status}', '').replace('  ', ' ');
+    default:
+      message = __('%{reportType} %{status} detected no new vulnerabilities.');
   }
 
-  return sprintf(baseString, {
-    status,
+  return sprintf(message, {
     reportType,
-    newCount: added,
-    fixedCount: fixed,
-    dismissedCount: dismissed,
-  });
+    status,
+    critical,
+    high,
+    other,
+    total: critical + high + other,
+  }).replace(/\s\s+/g, ' ');
 };
 
 export const statusIcon = (loading = false, failed = false, newIssues = 0, neutralIssues = 0) => {
@@ -154,22 +157,21 @@ export const statusIcon = (loading = false, failed = false, newIssues = 0, neutr
 };
 
 /**
- * Counts issues. Simply returns the amount of existing and fixed Issues.
- * New Issues are divided into dismissed and added.
+ * Counts vulnerabilities.
+ * Returns the amount of critical, high, and other vulnerabilities.
  *
- * @param newIssues
- * @param resolvedIssues
- * @param allIssues
- * @returns {{existing: number, added: number, dismissed: number, fixed: number}}
+ * @param {Array} vulnerabilities The raw vulnerabilities to parse
+ * @returns {{critical: number, high: number, other: number}}
  */
-export const countIssues = ({ newIssues = [], resolvedIssues = [], allIssues = [] } = {}) => {
-  const dismissed = newIssues.reduce((sum, issue) => (issue.isDismissed ? sum + 1 : sum), 0);
+export const countVulnerabilities = (vulnerabilities = []) => {
+  const critical = vulnerabilities.filter(vuln => vuln.severity === CRITICAL).length;
+  const high = vulnerabilities.filter(vuln => vuln.severity === HIGH).length;
+  const other = vulnerabilities.length - critical - high;
 
   return {
-    added: newIssues.length - dismissed,
-    dismissed,
-    existing: allIssues.length,
-    fixed: resolvedIssues.length,
+    critical,
+    high,
+    other,
   };
 };
 
@@ -183,8 +185,6 @@ export const countIssues = ({ newIssues = [], resolvedIssues = [], allIssues = [
  * @returns {String}
  */
 export const groupedReportText = (report, reportType, errorMessage, loadingMessage) => {
-  const { paths } = report;
-
   if (report.hasError) {
     return errorMessage;
   }
@@ -194,9 +194,8 @@ export const groupedReportText = (report, reportType, errorMessage, loadingMessa
   }
 
   return groupedTextBuilder({
-    ...countIssues(report),
     reportType,
-    paths,
+    ...countVulnerabilities(report.newIssues),
   });
 };
 

ee/changelogs/unreleased/216140-grouped-report-text.yml

+---
+title: Changes the displayed summary text in security reports in merge requests
+merge_request: 33857
+author:
+type: changed

ee/spec/frontend/vue_mr_widget/ee_mr_widget_options_spec.js

@@ -125,7 +125,7 @@ describe('ee merge request widget options', () => {
                 `${SAST_SELECTOR} .report-block-list-issue-description`,
               ).textContent,
             ),
-          ).toEqual('SAST detected 1 new, and 2 fixed vulnerabilities');
+          ).toEqual('SAST detected 1 vulnerability.');
           done();
         });
       });
@@ -147,7 +147,7 @@ describe('ee merge request widget options', () => {
                 `${SAST_SELECTOR} .report-block-list-issue-description`,
               ).textContent,
             ).trim(),
-          ).toEqual('SAST detected no vulnerabilities');
+          ).toEqual('SAST detected no new vulnerabilities.');
           done();
         });
       });
@@ -215,7 +215,7 @@ describe('ee merge request widget options', () => {
                 `${DEPENDENCY_SCANNING_SELECTOR} .report-block-list-issue-description`,
               ).textContent,
             ),
-          ).toEqual('Dependency scanning detected 2 new, and 1 fixed vulnerabilities');
+          ).toEqual('Dependency scanning detected 2 vulnerabilities.');
           done();
         });
       });
@@ -241,7 +241,7 @@ describe('ee merge request widget options', () => {
                 `${DEPENDENCY_SCANNING_SELECTOR} .report-block-list-issue-description`,
               ).textContent,
             ),
-          ).toEqual('Dependency scanning detected no new vulnerabilities');
+          ).toEqual('Dependency scanning detected no new vulnerabilities.');
           done();
         });
       });
@@ -263,7 +263,7 @@ describe('ee merge request widget options', () => {
                 `${DEPENDENCY_SCANNING_SELECTOR} .report-block-list-issue-description`,
               ).textContent,
             ),
-          ).toEqual('Dependency scanning detected no vulnerabilities');
+          ).toEqual('Dependency scanning detected no new vulnerabilities.');
           done();
         });
       });
@@ -687,7 +687,7 @@ describe('ee merge request widget options', () => {
                 `${CONTAINER_SCANNING_SELECTOR} .report-block-list-issue-description`,
               ).textContent,
             ),
-          ).toEqual('Container scanning detected 2 new, and 1 fixed vulnerabilities');
+          ).toEqual('Container scanning detected 2 vulnerabilities.');
           done();
         });
       });
@@ -757,7 +757,7 @@ describe('ee merge request widget options', () => {
             findSecurityWidget()
               .querySelector(`${DAST_SELECTOR} .report-block-list-issue-description`)
               .textContent.trim(),
-          ).toEqual('DAST detected 1 new, and 2 fixed vulnerabilities');
+          ).toEqual('DAST detected 1 vulnerability.');
           done();
         });
       });
@@ -831,7 +831,7 @@ describe('ee merge request widget options', () => {
                 `${SECRET_SCANNING_SELECTOR} .report-block-list-issue-description`,
               ).textContent,
             ),
-          ).toEqual('Secret scanning detected 2 new, and 1 fixed vulnerabilities');
+          ).toEqual('Secret scanning detected 2 vulnerabilities.');
           done();
         });
       });

ee/spec/frontend/vue_shared/components/reports/report_issues_spec.js

@@ -97,7 +97,9 @@ describe('Report issues', () => {
     });
 
     it('renders severity', () => {
-      expect(vm.$el.textContent.trim()).toContain(dockerReportParsed.unapproved[0].severity);
+      expect(vm.$el.textContent.trim().toLowerCase()).toContain(
+        dockerReportParsed.unapproved[0].severity,
+      );
     });
 
     it('renders CVE name', () => {
@@ -121,7 +123,7 @@ describe('Report issues', () => {
 
     it('renders severity and title', () => {
       expect(vm.$el.textContent).toContain(parsedDast[0].title);
-      expect(vm.$el.textContent).toContain(`${parsedDast[0].severity}`);
+      expect(vm.$el.textContent.toLowerCase()).toContain(`${parsedDast[0].severity}`);
     });
   });
 
@@ -135,7 +137,9 @@ describe('Report issues', () => {
     });
 
     it('renders severity', () => {
-      expect(vm.$el.textContent.trim()).toContain(secretScanningParsedIssues[0].severity);
+      expect(vm.$el.textContent.trim().toLowerCase()).toContain(
+        secretScanningParsedIssues[0].severity,
+      );
     });
 
     it('renders CVE name', () => {

ee/spec/frontend/vue_shared/components/reports/report_item_spec.js

@@ -97,7 +97,9 @@ describe('Report issue', () => {
     });
 
     it('renders severity', () => {
-      expect(vm.$el.textContent.trim()).toContain(dockerReportParsed.unapproved[0].severity);
+      expect(vm.$el.textContent.trim().toLowerCase()).toContain(
+        dockerReportParsed.unapproved[0].severity,
+      );
     });
 
     it('renders CVE name', () => {
@@ -121,7 +123,7 @@ describe('Report issue', () => {
 
     it('renders severity and title', () => {
       expect(vm.$el.textContent).toContain(parsedDast[0].title);
-      expect(vm.$el.textContent).toContain(`${parsedDast[0].severity}`);
+      expect(vm.$el.textContent.toLowerCase()).toContain(`${parsedDast[0].severity}`);
     });
   });
 
@@ -135,7 +137,9 @@ describe('Report issue', () => {
     });
 
     it('renders severity', () => {
-      expect(vm.$el.textContent.trim()).toContain(secretScanningParsedIssues[0].severity);
+      expect(vm.$el.textContent.trim().toLowerCase()).toContain(
+        secretScanningParsedIssues[0].severity,
+      );
     });
 
     it('renders CVE name', () => {

ee/spec/frontend/vue_shared/security_reports/components/security_issue_body_spec.js

@@ -10,6 +10,12 @@ import {
   dependencyScanningIssues,
   secretScanningParsedIssues,
 } from '../mock_data';
+import {
+  CRITICAL,
+  HIGH,
+  MEDIUM,
+  LOW,
+} from 'ee/security_dashboard/store/modules/vulnerabilities/constants';
 
 describe('Security Issue Body', () => {
   let wrapper;
@@ -31,11 +37,11 @@ describe('Security Issue Body', () => {
   });
 
   describe.each([
-    ['SAST', sastParsedIssues[0], true, 'High'],
-    ['DAST', parsedDast[0], false, 'Low'],
-    ['Container Scanning', dockerReportParsed.vulnerabilities[0], false, 'Medium'],
+    ['SAST', sastParsedIssues[0], true, HIGH],
+    ['DAST', parsedDast[0], false, LOW],
+    ['Container Scanning', dockerReportParsed.vulnerabilities[0], false, MEDIUM],
     ['Dependency Scanning', dependencyScanningIssues[0], true],
-    ['Secret Scanning', secretScanningParsedIssues[0], false, 'Critical'],
+    ['Secret Scanning', secretScanningParsedIssues[0], false, CRITICAL],
   ])('for a %s vulnerability', (name, vuln, hasReportLink, severity) => {
     beforeEach(() => {
       createComponent(vuln);

ee/spec/frontend/vue_shared/security_reports/grouped_security_reports_app_spec.js

@@ -187,7 +187,7 @@ describe('Grouped security reports app', () => {
 
         // Renders the summary text
         expect(wrapper.vm.$el.querySelector('.js-code-text').textContent.trim()).toEqual(
-          'Security scanning detected 8 new, and 7 fixed vulnerabilities',
+          'Security scanning detected 8 vulnerabilities.',
         );
 
         // Renders the expand button
@@ -196,24 +196,20 @@ describe('Grouped security reports app', () => {
         );
 
         // Renders Sast result
-        expect(trimText(wrapper.vm.$el.textContent)).toContain(
-          'SAST detected 1 new, and 2 fixed vulnerabilities',
-        );
+        expect(trimText(wrapper.vm.$el.textContent)).toContain('SAST detected 1 vulnerability');
 
         // Renders DSS result
         expect(trimText(wrapper.vm.$el.textContent)).toContain(
-          'Dependency scanning detected 2 new, and 1 fixed vulnerabilities',
+          'Dependency scanning detected 2 vulnerabilities.',
         );
 
         // Renders container scanning result
         expect(wrapper.vm.$el.textContent).toContain(
-          'Container scanning detected 2 new, and 1 fixed vulnerabilities',
+          'Container scanning detected 2 vulnerabilities.',
         );
 
         // Renders DAST result
-        expect(wrapper.vm.$el.textContent).toContain(
-          'DAST detected 1 new, and 2 fixed vulnerabilities',
-        );
+        expect(wrapper.vm.$el.textContent).toContain('DAST detected 1 vulnerability.');
       });
 
       it('opens modal with more information', () => {
@@ -293,9 +289,7 @@ describe('Grouped security reports app', () => {
     });
 
     it('should display the correct numbers of vulnerabilities', () => {
-      expect(wrapper.text()).toContain(
-        'Container scanning detected 2 new, and 1 fixed vulnerabilities',
-      );
+      expect(wrapper.text()).toContain('Container scanning detected 2 vulnerabilities.');
     });
   });
 
@@ -324,7 +318,7 @@ describe('Grouped security reports app', () => {
 
     it('should display the correct numbers of vulnerabilities', () => {
       expect(wrapper.vm.$el.textContent).toContain(
-        'Dependency scanning detected 2 new, and 1 fixed vulnerabilities',
+        'Dependency scanning detected 2 vulnerabilities.',
       );
     });
   });
@@ -362,9 +356,7 @@ describe('Grouped security reports app', () => {
     });
 
     it('should display the correct numbers of vulnerabilities', () => {
-      expect(wrapper.vm.$el.textContent).toContain(
-        'DAST detected 1 new, and 2 fixed vulnerabilities',
-      );
+      expect(wrapper.vm.$el.textContent).toContain('DAST detected 1 vulnerability');
     });
 
     it('shows the scanned URLs count and a link to the CI job if available', () => {
@@ -431,9 +423,7 @@ describe('Grouped security reports app', () => {
       });
 
       it('should display the correct numbers of vulnerabilities', () => {
-        expect(wrapper.text()).toContain(
-          'Secret scanning detected 2 new, and 1 fixed vulnerabilities',
-        );
+        expect(wrapper.text()).toContain('Secret scanning detected 2 vulnerabilities.');
       });
     });
 
@@ -470,9 +460,7 @@ describe('Grouped security reports app', () => {
     });
 
     it('should display the correct numbers of vulnerabilities', () => {
-      expect(wrapper.vm.$el.textContent).toContain(
-        'SAST detected 1 new, and 2 fixed vulnerabilities',
-      );
+      expect(wrapper.vm.$el.textContent).toContain('SAST detected 1 vulnerability.');
     });
   });
 

ee/spec/frontend/vue_shared/security_reports/mock_data.js

@@ -5,7 +5,7 @@ export const sastParsedIssues = [
     title: 'Arbitrary file existence disclosure in Action Pack',
     path: 'Gemfile.lock',
     line: 12,
-    severity: 'High',
+    severity: 'high',
     urlPath: 'foo/Gemfile.lock',
     report_type: 'sast',
   },
@@ -32,7 +32,7 @@ export const dockerReportParsed = {
     {
       vulnerability: 'CVE-2017-12944',
       namespace: 'debian:8',
-      severity: 'Medium',
+      severity: 'medium',
       title: 'CVE-2017-12944',
       path: 'debian:8',
       identifiers: [
@@ -47,7 +47,7 @@ export const dockerReportParsed = {
     {
       vulnerability: 'CVE-2017-16232',
       namespace: 'debian:8',
-      severity: 'Negligible',
+      severity: 'low',
       title: 'CVE-2017-16232',
       path: 'debian:8',
       identifiers: [
@@ -64,7 +64,7 @@ export const dockerReportParsed = {
     {
       vulnerability: 'CVE-2014-8130',
       namespace: 'debian:8',
-      severity: 'Negligible',
+      severity: 'low',
       title: 'CVE-2014-8130',
       path: 'debian:8',
       identifiers: [
@@ -81,7 +81,7 @@ export const dockerReportParsed = {
     {
       vulnerability: 'CVE-2017-12944',
       namespace: 'debian:8',
-      severity: 'Medium',
+      severity: 'medium',
       title: 'CVE-2017-12944',
       path: 'debian:8',
       identifiers: [
@@ -96,7 +96,7 @@ export const dockerReportParsed = {
     {
       vulnerability: 'CVE-2017-16232',
       namespace: 'debian:8',
-      severity: 'Negligible',
+      severity: 'low',
       title: 'CVE-2017-16232',
       path: 'debian:8',
       identifiers: [
@@ -111,7 +111,7 @@ export const dockerReportParsed = {
     {
       vulnerability: 'CVE-2014-8130',
       namespace: 'debian:8',
-      severity: 'Negligible',
+      severity: 'low',
       title: 'CVE-2014-8130',
       path: 'debian:8',
       identifiers: [
@@ -134,7 +134,7 @@ export const parsedDast = [
     title: 'Absence of Anti-CSRF Tokens',
     riskcode: '1',
     riskdesc: 'Low (Medium)',
-    severity: 'Low',
+    severity: 'low',
     cweid: '3',
     desc: '<p>No Anti-CSRF tokens were found in a HTML submission form.</p>',
     pluginid: '123',
@@ -176,7 +176,7 @@ export const parsedDast = [
         url: 'https://cwe.mitre.org/data/definitions/4.html',
       },
     ],
-    severity: 'Low',
+    severity: 'low',
     cweid: '4',
     desc: '<p>The Anti-MIME-Sniffing header X-Content-Type-Options was not set to "nosniff".</p>',
     pluginid: '3456',
@@ -197,7 +197,7 @@ export const secretScanningParsedIssues = [
     title: 'AWS SecretKey detected',
     path: 'Gemfile.lock',
     line: 12,
-    severity: 'Critical',
+    severity: 'critical',
     urlPath: 'foo/Gemfile.lock',
   },
 ];

ee/spec/frontend/vue_shared/security_reports/store/modules/sast/getters_spec.js

@@ -29,7 +29,7 @@ describe('groupedSastText', () => {
     const sast = createReport();
     const result = getters.groupedSastText(sast);
 
-    expect(result).toBe('SAST detected no vulnerabilities for the source branch only');
+    expect(result).toBe('SAST detected no new vulnerabilities.');
   });
 });
 

ee/spec/frontend/vue_shared/security_reports/store/utils_spec.js

@@ -2,11 +2,17 @@ import {
   findIssueIndex,
   groupedTextBuilder,
   statusIcon,
-  countIssues,
+  countVulnerabilities,
   groupedReportText,
 } from 'ee/vue_shared/security_reports/store/utils';
 import filterByKey from 'ee/vue_shared/security_reports/store/utils/filter_by_key';
 import getFileLocation from 'ee/vue_shared/security_reports/store/utils/get_file_location';
+import {
+  CRITICAL,
+  HIGH,
+  MEDIUM,
+  LOW,
+} from 'ee/security_dashboard/store/modules/vulnerabilities/constants';
 
 describe('security reports utils', () => {
   describe('findIssueIndex', () => {
@@ -75,113 +81,47 @@ describe('security reports utils', () => {
     });
   });
 
-  describe('textBuilder', () => {
-    describe('with only the head', () => {
-      const paths = { head: 'foo' };
-
-      it('should return unable to compare text', () => {
-        expect(groupedTextBuilder({ paths, added: 1 })).toEqual(
-          ' detected 1 vulnerability for the source branch only',
-        );
-      });
-
-      it('should return unable to compare text with no vulnerability', () => {
-        expect(groupedTextBuilder({ paths })).toEqual(
-          ' detected no vulnerabilities for the source branch only',
-        );
-      });
-
-      it('should return dismissed text', () => {
-        expect(groupedTextBuilder({ paths, dismissed: 2 })).toEqual(
-          ' detected 2 dismissed vulnerabilities for the source branch only',
-        );
-      });
-
-      it('should return new and dismissed text', () => {
-        expect(groupedTextBuilder({ paths, added: 1, dismissed: 2 })).toEqual(
-          ' detected 1 new, and 2 dismissed vulnerabilities for the source branch only',
-        );
-      });
-    });
-
-    describe('with base and head', () => {
-      const paths = { head: 'foo', base: 'foo' };
-
-      describe('with no issues', () => {
-        it('should return no vulnerabiltities text', () => {
-          expect(groupedTextBuilder({ paths })).toEqual(' detected no vulnerabilities');
-        });
-      });
-
-      describe('with only `all` issues', () => {
-        it('should return no new vulnerabiltities text', () => {
-          expect(groupedTextBuilder({ paths, existing: 1 })).toEqual(
-            ' detected no new vulnerabilities',
-          );
-        });
-      });
-
-      describe('with only new issues', () => {
-        it('should return new issues text', () => {
-          expect(groupedTextBuilder({ paths, added: 1 })).toEqual(' detected 1 new vulnerability');
-
-          expect(groupedTextBuilder({ paths, added: 2 })).toEqual(
-            ' detected 2 new vulnerabilities',
-          );
-        });
-      });
-
-      describe('with new and resolved issues', () => {
-        it('should return new and fixed issues text', () => {
-          expect(groupedTextBuilder({ paths, added: 1, fixed: 1 }).replace(/\n+\s+/m, ' ')).toEqual(
-            ' detected 1 new, and 1 fixed vulnerabilities',
-          );
-
-          expect(groupedTextBuilder({ paths, added: 2, fixed: 2 }).replace(/\n+\s+/m, ' ')).toEqual(
-            ' detected 2 new, and 2 fixed vulnerabilities',
-          );
-        });
-      });
-
-      describe('with only resolved issues', () => {
-        it('should return fixed issues text', () => {
-          expect(groupedTextBuilder({ paths, fixed: 1 })).toEqual(
-            ' detected 1 fixed vulnerability',
-          );
+  describe('groupedTextBuilder', () => {
+    const critical = 2;
+    const high = 4;
+    const other = 7;
 
-          expect(groupedTextBuilder({ paths, fixed: 2 })).toEqual(
-            ' detected 2 fixed vulnerabilities',
-          );
-        });
+    it.each`
+      vulnerabilities              | message
+      ${undefined}                 | ${' detected no new vulnerabilities.'}
+      ${{ critical }}              | ${' detected 2 critical severity vulnerabilities.'}
+      ${{ high }}                  | ${' detected 4 high severity vulnerabilities.'}
+      ${{ other }}                 | ${' detected 7 vulnerabilities.'}
+      ${{ critical, high }}        | ${' detected 2 critical and 4 high severity vulnerabilities.'}
+      ${{ critical, other }}       | ${' detected 2 critical severity vulnerabilities out of 9.'}
+      ${{ high, other }}           | ${' detected 4 high severity vulnerabilities out of 11.'}
+      ${{ critical, high, other }} | ${' detected 2 critical and 4 high severity vulnerabilities out of 13.'}
+    `('should build the message as "$message"', ({ vulnerabilities, message }) => {
+      expect(groupedTextBuilder(vulnerabilities)).toEqual(message);
     });
 
-      describe('with dismissed issues', () => {
-        it('should return dismissed text', () => {
-          expect(groupedTextBuilder({ paths, dismissed: 2 })).toEqual(
-            ' detected 2 dismissed vulnerabilities',
-          );
+    it.each`
+      vulnerabilities    | message
+      ${{ critical: 1 }} | ${' detected 1 critical severity vulnerability.'}
+      ${{ high: 1 }}     | ${' detected 1 high severity vulnerability.'}
+      ${{ other: 1 }}    | ${' detected 1 vulnerability.'}
+    `('should handle single vulnerabilities for "$message"', ({ vulnerabilities, message }) => {
+      expect(groupedTextBuilder(vulnerabilities)).toEqual(message);
     });
 
-        it('should return new and dismissed text', () => {
-          expect(groupedTextBuilder({ paths, added: 1, dismissed: 2 })).toEqual(
-            ' detected 1 new, and 2 dismissed vulnerabilities',
-          );
-        });
-
-        it('should return fixed and dismissed text', () => {
-          expect(groupedTextBuilder({ paths, fixed: 1, dismissed: 2 })).toEqual(
-            ' detected 1 fixed, and 2 dismissed vulnerabilities',
-          );
+    it('should pass through the report type', () => {
+      const reportType = 'HAL';
+      expect(groupedTextBuilder({ reportType })).toEqual('HAL detected no new vulnerabilities.');
     });
 
-        it('should return new, fixed and dismissed text', () => {
-          expect(groupedTextBuilder({ paths, fixed: 1, added: 1, dismissed: 2 })).toEqual(
-            ' detected 1 new, 1 fixed, and 2 dismissed vulnerabilities',
+    it('should pass through the status', () => {
+      const reportType = 'HAL';
+      const status = '(is loading)';
+      expect(groupedTextBuilder({ reportType, status })).toEqual(
+        'HAL (is loading) detected no new vulnerabilities.',
       );
     });
   });
-    });
-  });
 
   describe('statusIcon', () => {
     describe('with failed report', () => {
@@ -209,66 +149,17 @@ describe('security reports utils', () => {
     });
   });
 
-  describe('countIssues', () => {
-    const allIssues = [{}];
-    const resolvedIssues = [{}];
-    const dismissedIssues = [{ isDismissed: true }];
-    const addedIssues = [{ isDismissed: false }];
-
-    it('returns 0 for all counts if everything is empty', () => {
-      expect(countIssues()).toEqual({
-        added: 0,
-        dismissed: 0,
-        existing: 0,
-        fixed: 0,
-      });
-    });
-
-    it('counts `allIssues` as existing', () => {
-      expect(countIssues({ allIssues })).toEqual({
-        added: 0,
-        dismissed: 0,
-        existing: 1,
-        fixed: 0,
-      });
-    });
-
-    it('counts `resolvedIssues` as fixed', () => {
-      expect(countIssues({ resolvedIssues })).toEqual({
-        added: 0,
-        dismissed: 0,
-        existing: 0,
-        fixed: 1,
-      });
-    });
-
-    it('counts `newIssues` which are dismissed as dismissed', () => {
-      expect(countIssues({ newIssues: dismissedIssues })).toEqual({
-        added: 0,
-        dismissed: 1,
-        existing: 0,
-        fixed: 0,
-      });
-    });
-
-    it('counts `newIssues` which are not dismissed as added', () => {
-      expect(countIssues({ newIssues: addedIssues })).toEqual({
-        added: 1,
-        dismissed: 0,
-        existing: 0,
-        fixed: 0,
-      });
-    });
-
-    it('counts everything', () => {
-      expect(
-        countIssues({ newIssues: [...addedIssues, ...dismissedIssues], resolvedIssues, allIssues }),
-      ).toEqual({
-        added: 1,
-        dismissed: 1,
-        existing: 1,
-        fixed: 1,
-      });
+  describe('countVulnerabilities', () => {
+    it.each`
+      vulnerabilities                                     | response
+      ${[]}                                               | ${{ critical: 0, high: 0, other: 0 }}
+      ${[{ severity: CRITICAL }, { severity: CRITICAL }]} | ${{ critical: 2, high: 0, other: 0 }}
+      ${[{ severity: HIGH }, { severity: HIGH }]}         | ${{ critical: 0, high: 2, other: 0 }}
+      ${[{ severity: LOW }, { severity: MEDIUM }]}        | ${{ critical: 0, high: 0, other: 2 }}
+      ${[{ severity: CRITICAL }, { severity: HIGH }]}     | ${{ critical: 1, high: 1, other: 0 }}
+      ${[{ severity: CRITICAL }, { severity: LOW }]}      | ${{ critical: 1, high: 0, other: 1 }}
+    `('should count the vulnerabilities correctly', ({ vulnerabilities, response }) => {
+      expect(countVulnerabilities(vulnerabilities)).toEqual(response);
     });
   });
 
@@ -296,7 +187,7 @@ describe('security reports utils', () => {
       const report = { ...baseReport };
       const result = groupedReportText(report, reportType, errorMessage, loadingMessage);
 
-      expect(result).toBe(`${reportType} detected no vulnerabilities for the source branch only`);
+      expect(result).toBe(`${reportType} detected no new vulnerabilities.`);
     });
   });
 });

locale/gitlab.pot

@@ -534,6 +534,36 @@ msgstr[1] ""
 msgid "%{remaining_approvals} left"
 msgstr ""
 
+msgid "%{reportType} %{status} detected %{critical} critical and %{high} high severity vulnerabilities out of %{total}."
+msgstr ""
+
+msgid "%{reportType} %{status} detected %{critical} critical and %{high} high severity vulnerabilities."
+msgstr ""
+
+msgid "%{reportType} %{status} detected %{critical} critical severity vulnerabilities out of %{total}."
+msgstr ""
+
+msgid "%{reportType} %{status} detected %{critical} critical severity vulnerability."
+msgid_plural "%{reportType} %{status} detected %{critical} critical severity vulnerabilities."
+msgstr[0] ""
+msgstr[1] ""
+
+msgid "%{reportType} %{status} detected %{high} high severity vulnerabilities out of %{total}."
+msgstr ""
+
+msgid "%{reportType} %{status} detected %{high} high severity vulnerability."
+msgid_plural "%{reportType} %{status} detected %{high} high severity vulnerabilities."
+msgstr[0] ""
+msgstr[1] ""
+
+msgid "%{reportType} %{status} detected %{other} vulnerability."
+msgid_plural "%{reportType} %{status} detected %{other} vulnerabilities."
+msgstr[0] ""
+msgstr[1] ""
+
+msgid "%{reportType} %{status} detected no new vulnerabilities."
+msgstr ""
+
 msgid "%{retryButtonStart}Try again%{retryButtonEnd} or %{newFileButtonStart}attach a new file%{newFileButtonEnd}"
 msgstr ""
 
@@ -26788,55 +26818,6 @@ msgstr ""
 msgid "ciReport|%{remainingPackagesCount} more"
 msgstr ""
 
-msgid "ciReport|%{reportType} %{status} detected %{dismissedCount} dismissed vulnerability"
-msgid_plural "ciReport|%{reportType} %{status} detected %{dismissedCount} dismissed vulnerabilities"
-msgstr[0] ""
-msgstr[1] ""
-
-msgid "ciReport|%{reportType} %{status} detected %{dismissedCount} dismissed vulnerability for the source branch only"
-msgid_plural "ciReport|%{reportType} %{status} detected %{dismissedCount} dismissed vulnerabilities for the source branch only"
-msgstr[0] ""
-msgstr[1] ""
-
-msgid "ciReport|%{reportType} %{status} detected %{fixedCount} fixed vulnerability"
-msgid_plural "ciReport|%{reportType} %{status} detected %{fixedCount} fixed vulnerabilities"
-msgstr[0] ""
-msgstr[1] ""
-
-msgid "ciReport|%{reportType} %{status} detected %{fixedCount} fixed, and %{dismissedCount} dismissed vulnerabilities"
-msgstr ""
-
-msgid "ciReport|%{reportType} %{status} detected %{newCount} new vulnerability"
-msgid_plural "ciReport|%{reportType} %{status} detected %{newCount} new vulnerabilities"
-msgstr[0] ""
-msgstr[1] ""
-
-msgid "ciReport|%{reportType} %{status} detected %{newCount} new, %{fixedCount} fixed, and %{dismissedCount} dismissed vulnerabilities"
-msgstr ""
-
-msgid "ciReport|%{reportType} %{status} detected %{newCount} new, and %{dismissedCount} dismissed vulnerabilities"
-msgstr ""
-
-msgid "ciReport|%{reportType} %{status} detected %{newCount} new, and %{dismissedCount} dismissed vulnerabilities for the source branch only"
-msgstr ""
-
-msgid "ciReport|%{reportType} %{status} detected %{newCount} new, and %{fixedCount} fixed vulnerabilities"
-msgstr ""
-
-msgid "ciReport|%{reportType} %{status} detected %{newCount} vulnerability for the source branch only"
-msgid_plural "ciReport|%{reportType} %{status} detected %{newCount} vulnerabilities for the source branch only"
-msgstr[0] ""
-msgstr[1] ""
-
-msgid "ciReport|%{reportType} %{status} detected no new vulnerabilities"
-msgstr ""
-
-msgid "ciReport|%{reportType} %{status} detected no vulnerabilities"
-msgstr ""
-
-msgid "ciReport|%{reportType} %{status} detected no vulnerabilities for the source branch only"
-msgstr ""
-
 msgid "ciReport|%{reportType} is loading"
 msgstr ""