Support for new dependency scanning report format

This adds support for the new report syntax to DS. We add support by wrapping the old simple array in a hash within a `vulnerabilities` key.

Support for new dependency scanning report format
This adds support for the new report syntax to DS. We add support by wrapping the old simple array in a hash within a `vulnerabilities` key.
8acfd615 · Lukas Eipert · 14ee3a2c · 8acfd615 · 8acfd615 · 8acfd615
Commit 8acfd615 authored Dec 15, 2018 by Lukas Eipert
6 changed files
--- a/ee/app/assets/javascripts/vue_shared/security_reports/store/constants.js
+++ b/ee/app/assets/javascripts/vue_shared/security_reports/store/constants.js
 export const LOADING = 'LOADING';
 export const ERROR = 'ERROR';
 export const SUCCESS = 'SUCCESS';
-export const DEPRECATED_SAST_REPORT_VERSION = '1.2';
--- a/ee/app/assets/javascripts/vue_shared/security_reports/store/utils.js
+++ b/ee/app/assets/javascripts/vue_shared/security_reports/store/utils.js
@@ -2,9 +2,6 @@ import sha1 from 'sha1';
 import _ from 'underscore';
 import { stripHtml } from '~/lib/utils/text_utility';
 import { n__, s__, sprintf } from '~/locale';
-import {
-  DEPRECATED_SAST_REPORT_VERSION,
-} from 'ee/vue_shared/security_reports/store/constants';
 /**
 * Returns the index of an issue in given list
@@ -98,13 +95,11 @@ function adaptDeprecatedIssueFormat(issue) {
 * Wraps old report formats (plain array of vulnerabilities).
 *
 * @param {Array|Object} report
- * @param {String} deprecatedReportVersion
 * @returns {Object}
 */
-function adaptDeprecatedReportFormat(report, deprecatedReportVersion) {
+function adaptDeprecatedReportFormat(report) {
  if (Array.isArray(report)) {
    return {
-      version: deprecatedReportVersion,
      vulnerabilities: report,
    };
  }
@@ -121,7 +116,7 @@ function adaptDeprecatedReportFormat(report, deprecatedReportVersion) {
 * @returns {Array}
 */
 export const parseSastIssues = (report = [], feedback = [], path = '') =>
-  adaptDeprecatedReportFormat(report, DEPRECATED_SAST_REPORT_VERSION).vulnerabilities.map(issue => {
+  adaptDeprecatedReportFormat(report).vulnerabilities.map(issue => {
    const parsed = {
      ...adaptDeprecatedIssueFormat(issue),
      category: 'sast',
@@ -140,15 +135,15 @@ export const parseSastIssues = (report = [], feedback = [], path = '') =>
 /**
 * Parses Dependency Scanning results into a common format to allow to use the same Vue component.
 *
- * @param {Array} issues
+ * @param {Array|Object} report
 * @param {Array} feedback
 * @param {String} path
 * @returns {Array}
 */
-export const parseDependencyScanningIssues = (issues = [], feedback = [], path = '') =>
+export const parseDependencyScanningIssues = (report = [], feedback = [], path = '') =>
-  issues.map(issue => {
+  adaptDeprecatedReportFormat(report).vulnerabilities.map(issue => {
    const parsed = {
-      ...adaptDeprecatedFormat(issue),
+      ...adaptDeprecatedIssueFormat(issue),
      category: 'dependency_scanning',
      project_fingerprint: sha1(issue.cve || issue.message),
      title: issue.message,

--- a/ee/changelogs/unreleased/5656-new-syntax-support-FE.yml
+++ b/ee/changelogs/unreleased/5656-new-syntax-support-FE.yml
+---
+title: Support for new SAST and dependency scanning report format
+merge_request: 8869
+author:
+type: other
--- a/ee/spec/javascripts/vue_shared/security_reports/mock_data.js
+++ b/ee/spec/javascripts/vue_shared/security_reports/mock_data.js
@@ -364,7 +364,7 @@ export const parsedSastBaseStore = [
  },
 ];
-export const dependencyScanningIssues = [
+export const dependencyScanningIssuesOld = [
  {
    tool: 'bundler_audit',
    message: 'Arbitrary file existence disclosure in Action Pack',
@@ -394,6 +394,111 @@ export const dependencyScanningIssues = [
  },
 ];
+export const dependencyScanningIssues = [
+  {
+    category: 'dependency_scanning',
+    message: 'ruby-ffi DDL loading issue on Windows OS',
+    cve: 'sast-sample-rails/Gemfile.lock:ffi:cve:CVE-2018-1000201',
+    severity: 'High',
+    solution: 'upgrade to \u003e= 1.9.24',
+    scanner: {
+      id: 'bundler_audit',
+      name: 'bundler-audit',
+    },
+    location: {
+      file: 'sast-sample-rails/Gemfile.lock',
+      dependency: {
+        package: {
+          name: 'ffi',
+        },
+        version: '1.9.18',
+      },
+    },
+    identifiers: [
+      {
+        type: 'cve',
+        name: 'CVE-2018-1000201',
+        value: 'CVE-2018-1000201',
+        url: 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000201',
+      },
+    ],
+    links: [
+      {
+        url: 'https://github.com/ffi/ffi/releases/tag/1.9.24',
+      },
+    ],
+  },
+  {
+    category: 'dependency_scanning',
+    message: 'XSS vulnerability in rails-html-sanitizer',
+    cve: 'sast-sample-rails/Gemfile.lock:rails-html-sanitizer:cve:CVE-2018-3741',
+    severity: 'Unknown',
+    solution: 'upgrade to \u003e= 1.0.4',
+    scanner: {
+      id: 'bundler_audit',
+      name: 'bundler-audit',
+    },
+    location: {
+      file: 'sast-sample-rails/Gemfile.lock',
+      dependency: {
+        package: {
+          name: 'rails-html-sanitizer',
+        },
+        version: '1.0.3',
+      },
+    },
+    identifiers: [
+      {
+        type: 'cve',
+        name: 'CVE-2018-3741',
+        value: 'CVE-2018-3741',
+        url: 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3741',
+      },
+    ],
+    links: [
+      {
+        url: 'https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ',
+      },
+    ],
+  },
+  {
+    category: 'dependency_scanning',
+    message: 'Vulnerability in ansi2html',
+    cve: ':ansi2html:npm:51',
+    severity: 'High',
+    scanner: {
+      id: 'retire.js',
+      name: 'Retire.js',
+    },
+    location: {
+      dependency: {
+        package: {
+          name: 'ansi2html',
+        },
+        version: '0.0.1',
+      },
+    },
+    identifiers: [
+      {
+        type: 'npm',
+        name: 'NPM-51',
+        value: '51',
+        url: 'https://www.npmjs.com/advisories/51',
+      },
+    ],
+    links: [
+      {
+        url: 'https://nodesecurity.io/advisories/51',
+      },
+    ],
+  },
+];
+export const dependencyScanningIssuesMajor2 = {
+  version: '2.0',
+  vulnerabilities: dependencyScanningIssues,
+};
 export const dependencyScanningIssuesBase = [
  {
    tool: 'bundler_audit',

--- a/ee/spec/javascripts/vue_shared/security_reports/store/mutations_spec.js
+++ b/ee/spec/javascripts/vue_shared/security_reports/store/mutations_spec.js
@@ -7,7 +7,7 @@ import {
  parsedSastIssuesHead,
  parsedSastBaseStore,
  parsedSastIssuesStore,
-  dependencyScanningIssues,
+  dependencyScanningIssuesOld,
  dependencyScanningIssuesBase,
  parsedDependencyScanningIssuesHead,
  parsedDependencyScanningBaseStore,
@@ -303,7 +303,7 @@ describe('security reports mutations', () => {
        mutations[types.SET_BASE_BLOB_PATH](stateCopy, 'path');
        mutations[types.SET_HEAD_BLOB_PATH](stateCopy, 'path');
        mutations[types.RECEIVE_DEPENDENCY_SCANNING_REPORTS](stateCopy, {
-          head: dependencyScanningIssues,
+          head: dependencyScanningIssuesOld,
          base: dependencyScanningIssuesBase,
        });
@@ -321,7 +321,7 @@ describe('security reports mutations', () => {
      it('should set new issues', () => {
        mutations[types.SET_HEAD_BLOB_PATH](stateCopy, 'path');
        mutations[types.RECEIVE_DEPENDENCY_SCANNING_REPORTS](stateCopy, {
-          head: dependencyScanningIssues,
+          head: dependencyScanningIssuesOld,
        });
        expect(stateCopy.dependencyScanning.isLoading).toEqual(false);

--- a/ee/spec/javascripts/vue_shared/security_reports/store/utils_spec.js
+++ b/ee/spec/javascripts/vue_shared/security_reports/store/utils_spec.js
@@ -15,7 +15,9 @@ import {
  sastIssues,
  sastIssuesMajor2,
  sastFeedbacks,
+  dependencyScanningIssuesOld,
  dependencyScanningIssues,
+  dependencyScanningIssuesMajor2,
  dependencyScanningFeedbacks,
  dockerReport,
  containerScanningFeedbacks,
@@ -106,35 +108,59 @@ describe('security reports utils', () => {
  describe('parseDependencyScanningIssues', () => {
    it('should parse the received issues', () => {
-      const parsed = parseDependencyScanningIssues(dependencyScanningIssues, [], 'path')[0];
+      const parsed = parseDependencyScanningIssues(dependencyScanningIssuesOld, [], 'path')[0];
-      expect(parsed.title).toEqual(dependencyScanningIssues[0].message);
+      expect(parsed.title).toEqual(dependencyScanningIssuesOld[0].message);
-      expect(parsed.path).toEqual(dependencyScanningIssues[0].file);
+      expect(parsed.path).toEqual(dependencyScanningIssuesOld[0].file);
-      expect(parsed.location.start_line).toEqual(sastIssues[0].location.start_line);
+      expect(parsed.location.start_line).toEqual(parseInt(dependencyScanningIssuesOld[0].line, 10));
      expect(parsed.location.end_line).toBeUndefined();
      expect(parsed.urlPath).toEqual('path/Gemfile.lock#L5');
-      expect(parsed.project_fingerprint).toEqual(sha1(dependencyScanningIssues[0].cve));
+      expect(parsed.project_fingerprint).toEqual(sha1(dependencyScanningIssuesOld[0].cve));
+    });
+    it('should parse the received issues with new JSON format', () => {
+      const raw = dependencyScanningIssues[0];
+      const parsed = parseDependencyScanningIssues(dependencyScanningIssues, [], 'path')[0];
+      expect(parsed.title).toEqual(raw.message);
+      expect(parsed.path).toEqual(raw.location.file);
+      expect(parsed.location.start_line).toBeUndefined();
+      expect(parsed.location.end_line).toBeUndefined();
+      expect(parsed.urlPath).toEqual(`path/${raw.location.file}`);
+      expect(parsed.project_fingerprint).toEqual(sha1(raw.cve));
+    });
+    it('should parse the received issues with new JSON format (2.0)', () => {
+      const raw = dependencyScanningIssues[0];
+      const parsed = parseDependencyScanningIssues(dependencyScanningIssuesMajor2, [], 'path')[0];
+      expect(parsed.title).toEqual(raw.message);
+      expect(parsed.path).toEqual(raw.location.file);
+      expect(parsed.location.start_line).toBeUndefined();
+      expect(parsed.location.end_line).toBeUndefined();
+      expect(parsed.urlPath).toEqual(`path/${raw.location.file}`);
+      expect(parsed.project_fingerprint).toEqual(sha1(raw.cve));
    });
    it('generate correct path to file when there is no line', () => {
-      const parsed = parseDependencyScanningIssues(dependencyScanningIssues, [], 'path')[1];
+      const parsed = parseDependencyScanningIssues(dependencyScanningIssuesOld, [], 'path')[1];
      expect(parsed.urlPath).toEqual('path/Gemfile.lock');
    });
    it('uses message to generate sha1 when cve is undefined', () => {
-      const issuesWithoutCve = dependencyScanningIssues.map(issue => ({
+      const issuesWithoutCve = dependencyScanningIssuesOld.map(issue => ({
        ...issue,
        cve: undefined,
      }));
      const parsed = parseDependencyScanningIssues(issuesWithoutCve, [], 'path')[0];
-      expect(parsed.project_fingerprint).toEqual(sha1(dependencyScanningIssues[0].message));
+      expect(parsed.project_fingerprint).toEqual(sha1(dependencyScanningIssuesOld[0].message));
    });
    it('includes vulnerability feedbacks', () => {
      const parsed = parseDependencyScanningIssues(
-        dependencyScanningIssues,
+        dependencyScanningIssuesOld,
        dependencyScanningFeedbacks,
        'path',
      )[0];