Commit 828daf10 authored by Subashis's avatar Subashis

Expose dismissal reason and dismissal descriptions

- Make translations dynamic for dismissal descriptions
- Extend helper to return dismissal feedback
- Expose dismissal_reason and dismissal_descriptions in feedback entity
- Update spec factory to accomodate dismissal reason
- Update graphql doc
- Add newly externalized strings
- Add change log
parent c956d96f
...@@ -8093,11 +8093,11 @@ The dismissal reason of the Vulnerability. ...@@ -8093,11 +8093,11 @@ The dismissal reason of the Vulnerability.
| Value | Description | | Value | Description |
| ----- | ----------- | | ----- | ----------- |
| `ACCEPTABLE_RISK` | The likelihood of the Vulnerability occurring and its impact are deemed acceptable | | `ACCEPTABLE_RISK` | The vulnerability is known, and has not been remediated or mitigated, but is considered to be an acceptable business risk. |
| `FALSE_POSITIVE` | The Vulnerability was incorrectly identified as being present | | `FALSE_POSITIVE` | An error in reporting in which a test result incorrectly indicates the presence of a vulnerability in a system when the vulnerability is not present. |
| `MITIGATING_CONTROL` | There is a mitigating control that eliminates the Vulnerability or makes its risk acceptable | | `MITIGATING_CONTROL` | A management, operational, or technical control (that is, safeguard or countermeasure) employed by an organization that provides equivalent or comparable protection for an information system. |
| `NOT_APPLICABLE` | Other reasons for dismissal | | `NOT_APPLICABLE` | The vulnerability is known, and has not been remediated or mitigated, but is considered to be in a part of the application that will not be updated. |
| `USED_IN_TESTS` | The Vulnerability is used in tests and does not pose an actual risk | | `USED_IN_TESTS` | The finding is not a vulnerability because it is part of a test or is test data. |
### `VulnerabilityExternalIssueLinkExternalTracker` ### `VulnerabilityExternalIssueLinkExternalTracker`
......
...@@ -9,11 +9,11 @@ module Vulnerabilities ...@@ -9,11 +9,11 @@ module Vulnerabilities
description 'The dismissal reason of the Vulnerability' description 'The dismissal reason of the Vulnerability'
define do define do
acceptable_risk value: 0, description: 'The likelihood of the Vulnerability occurring and its impact are deemed acceptable' acceptable_risk value: 0, description: _('The vulnerability is known, and has not been remediated or mitigated, but is considered to be an acceptable business risk.')
false_positive value: 1, description: 'The Vulnerability was incorrectly identified as being present' false_positive value: 1, description: _('An error in reporting in which a test result incorrectly indicates the presence of a vulnerability in a system when the vulnerability is not present.')
mitigating_control value: 2, description: 'There is a mitigating control that eliminates the Vulnerability or makes its risk acceptable' mitigating_control value: 2, description: _('A management, operational, or technical control (that is, safeguard or countermeasure) employed by an organization that provides equivalent or comparable protection for an information system.')
used_in_tests value: 3, description: 'The Vulnerability is used in tests and does not pose an actual risk' used_in_tests value: 3, description: _('The finding is not a vulnerability because it is part of a test or is test data.')
not_applicable value: 4, description: 'Other reasons for dismissal' not_applicable value: 4, description: _('The vulnerability is known, and has not been remediated or mitigated, but is considered to be in a part of the application that will not be updated.')
end end
end end
end end
# frozen_string_literal: true # frozen_string_literal: true
module VulnerabilitiesHelper module VulnerabilitiesHelper
FINDING_FIELDS = %i[metadata identifiers name issue_feedback merge_request_feedback project project_fingerprint scanner uuid details].freeze FINDING_FIELDS = %i[metadata identifiers name issue_feedback merge_request_feedback project project_fingerprint scanner uuid details dismissal_feedback].freeze
def vulnerability_details_json(vulnerability, pipeline) def vulnerability_details_json(vulnerability, pipeline)
vulnerability_details(vulnerability, pipeline).to_json vulnerability_details(vulnerability, pipeline).to_json
......
...@@ -49,6 +49,11 @@ class Vulnerabilities::FeedbackEntity < Grape::Entity ...@@ -49,6 +49,11 @@ class Vulnerabilities::FeedbackEntity < Grape::Entity
end end
expose :project_fingerprint expose :project_fingerprint
expose :dismissal_reason
expose :dismissal_descriptions do |feedback|
Vulnerabilities::DismissalReasonEnum.definition.transform_values { |v| v[:description] }
end
alias_method :feedback, :object alias_method :feedback, :object
private private
......
---
title: Expose dismissal reason and dismissal descriptions in Vulnerability details
view
merge_request: 55525
author:
type: added
...@@ -20,6 +20,7 @@ FactoryBot.define do ...@@ -20,6 +20,7 @@ FactoryBot.define do
trait :dismissal do trait :dismissal do
feedback_type { 'dismissal' } feedback_type { 'dismissal' }
dismissal_reason { 'acceptable_risk' }
end end
trait :comment do trait :comment do
......
...@@ -37,7 +37,11 @@ ...@@ -37,7 +37,11 @@
"project_fingerprint": { "type": "string" }, "project_fingerprint": { "type": "string" },
"branch": { "type": ["string", "null"] }, "branch": { "type": ["string", "null"] },
"destroy_vulnerability_feedback_dismissal_path": { "type": "string" }, "destroy_vulnerability_feedback_dismissal_path": { "type": "string" },
"finding_uuid": { "type": ["string", "null"] } "finding_uuid": { "type": ["string", "null"] },
"dismissal_reason": { "type": ["string", "null"] },
"dismissal_descriptions": {
"type": {"string": "string"}
}
}, },
"additionalProperties": false "additionalProperties": false
} }
...@@ -4,9 +4,9 @@ require 'spec_helper' ...@@ -4,9 +4,9 @@ require 'spec_helper'
RSpec.describe VulnerabilitiesHelper do RSpec.describe VulnerabilitiesHelper do
let_it_be(:user) { create(:user) } let_it_be(:user) { create(:user) }
let(:project) { create(:project, :repository, :public) } let_it_be(:project) { create(:project, :repository, :public) }
let(:pipeline) { create(:ci_pipeline, :success, project: project) } let_it_be(:pipeline) { create(:ci_pipeline, :success, project: project) }
let(:finding) { create(:vulnerabilities_finding, pipelines: [pipeline], project: project, severity: :high) } let_it_be(:finding) { create(:vulnerabilities_finding, pipelines: [pipeline], project: project, severity: :high) }
let(:vulnerability) { create(:vulnerability, title: "My vulnerability", project: project, findings: [finding]) } let(:vulnerability) { create(:vulnerability, title: "My vulnerability", project: project, findings: [finding]) }
before do before do
...@@ -43,7 +43,7 @@ RSpec.describe VulnerabilitiesHelper do ...@@ -43,7 +43,7 @@ RSpec.describe VulnerabilitiesHelper do
:details) :details)
end end
let(:desired_serializer_fields) { %i[metadata identifiers name issue_feedback merge_request_feedback project project_fingerprint scanner uuid details] } let(:desired_serializer_fields) { %i[metadata identifiers name issue_feedback merge_request_feedback project project_fingerprint scanner uuid details dismissal_feedback] }
before do before do
vulnerability_serializer_stub = instance_double("VulnerabilitySerializer") vulnerability_serializer_stub = instance_double("VulnerabilitySerializer")
...@@ -270,7 +270,8 @@ RSpec.describe VulnerabilitiesHelper do ...@@ -270,7 +270,8 @@ RSpec.describe VulnerabilitiesHelper do
assets: kind_of(Array), assets: kind_of(Array),
supporting_messages: kind_of(Array), supporting_messages: kind_of(Array),
uuid: kind_of(String), uuid: kind_of(String),
details: kind_of(Hash) details: kind_of(Hash),
dismissal_feedback: anything
) )
expect(subject[:location]['blob_path']).to match(kind_of(String)) expect(subject[:location]['blob_path']).to match(kind_of(String))
...@@ -286,6 +287,17 @@ RSpec.describe VulnerabilitiesHelper do ...@@ -286,6 +287,17 @@ RSpec.describe VulnerabilitiesHelper do
expect(subject[:location]).not_to have_key('blob_path') expect(subject[:location]).not_to have_key('blob_path')
end end
end end
context 'with existing dismissal feedback' do
let_it_be(:feedback) { create(:vulnerability_feedback, :comment, :dismissal, project: project, pipeline: pipeline, project_fingerprint: finding.project_fingerprint) }
it 'returns dismissal feedback information', :aggregate_failures do
dismissal_feedback = subject[:dismissal_feedback]
expect(dismissal_feedback[:dismissal_reason]).to eq(feedback.dismissal_reason)
expect(dismissal_feedback[:dismissal_descriptions]).to eq(Vulnerabilities::DismissalReasonEnum.definition.transform_values { |v| v[:description] })
expect(dismissal_feedback[:comment_details][:comment]).to eq(feedback.comment)
end
end
end end
describe '#vulnerability_scan_data?' do describe '#vulnerability_scan_data?' do
......
...@@ -178,4 +178,28 @@ RSpec.describe Vulnerabilities::FeedbackEntity do ...@@ -178,4 +178,28 @@ RSpec.describe Vulnerabilities::FeedbackEntity do
expect(subject[:finding_uuid]).to eq(finding.uuid) expect(subject[:finding_uuid]).to eq(finding.uuid)
end end
end end
context 'when dismissal_reason is not present' do
let(:feedback) { build_stubbed(:vulnerability_feedback, :issue, project: project) }
it "returns nil" do
expect(subject[:dismissal_reason]).to be_nil
end
end
context 'when dismissal_reason is present' do
let(:feedback) { build_stubbed(:vulnerability_feedback, :dismissal, project: project) }
it 'exposes dismissal_reason' do
expect(subject[:dismissal_reason]).to eq(feedback.dismissal_reason)
end
end
context 'when dismissal descriptions are available' do
let(:feedback) { build_stubbed(:vulnerability_feedback, :dismissal, project: project) }
it 'exposes dismissal_descriptions' do
expect(subject[:dismissal_descriptions]).to eq(Vulnerabilities::DismissalReasonEnum.definition.transform_values { |v| v[:description] })
end
end
end end
...@@ -1368,6 +1368,9 @@ msgstr "" ...@@ -1368,6 +1368,9 @@ msgstr ""
msgid "A limit of %{ci_project_subscriptions_limit} subscriptions to or from a project applies." msgid "A limit of %{ci_project_subscriptions_limit} subscriptions to or from a project applies."
msgstr "" msgstr ""
msgid "A management, operational, or technical control (that is, safeguard or countermeasure) employed by an organization that provides equivalent or comparable protection for an information system."
msgstr ""
msgid "A member of the abuse team will review your report as soon as possible." msgid "A member of the abuse team will review your report as soon as possible."
msgstr "" msgstr ""
...@@ -3262,6 +3265,9 @@ msgstr "" ...@@ -3262,6 +3265,9 @@ msgstr ""
msgid "An error has occurred" msgid "An error has occurred"
msgstr "" msgstr ""
msgid "An error in reporting in which a test result incorrectly indicates the presence of a vulnerability in a system when the vulnerability is not present."
msgstr ""
msgid "An error occurred adding a draft to the thread." msgid "An error occurred adding a draft to the thread."
msgstr "" msgstr ""
...@@ -29968,6 +29974,9 @@ msgstr "" ...@@ -29968,6 +29974,9 @@ msgstr ""
msgid "The file name should have a .yml extension" msgid "The file name should have a .yml extension"
msgstr "" msgstr ""
msgid "The finding is not a vulnerability because it is part of a test or is test data."
msgstr ""
msgid "The following %{user} can also merge into this branch: %{branch}" msgid "The following %{user} can also merge into this branch: %{branch}"
msgstr "" msgstr ""
...@@ -30270,6 +30279,12 @@ msgstr "" ...@@ -30270,6 +30279,12 @@ msgstr ""
msgid "The visualization will appear in this tab when the CI/CD configuration file is populated with valid syntax." msgid "The visualization will appear in this tab when the CI/CD configuration file is populated with valid syntax."
msgstr "" msgstr ""
msgid "The vulnerability is known, and has not been remediated or mitigated, but is considered to be an acceptable business risk."
msgstr ""
msgid "The vulnerability is known, and has not been remediated or mitigated, but is considered to be in a part of the application that will not be updated."
msgstr ""
msgid "The vulnerability is no longer detected. Verify the vulnerability has been fixed or removed before changing its status." msgid "The vulnerability is no longer detected. Verify the vulnerability has been fixed or removed before changing its status."
msgstr "" msgstr ""
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment