Add method to create issue in Jira from vulnerability finding

This change adds link to finding to create issue in Jira.

Add method to create issue in Jira from vulnerability finding
This change adds link to finding to create issue in Jira.
a4379bae · Alan (Maciej) Paruszewski · Dmytro Zaporozhets (DZ) · eb544aac · a4379bae · a4379bae
Commit a4379bae authored Dec 08, 2020 by Alan (Maciej) Paruszewski Committed by Dmytro Zaporozhets (DZ) Dec 08, 2020
7 changed files
--- a/ee/app/helpers/vulnerabilities_helper.rb
+++ b/ee/app/helpers/vulnerabilities_helper.rb
 # frozen_string_literal: true

 module VulnerabilitiesHelper
+  FINDING_FIELDS = %i[metadata identifiers name issue_feedback merge_request_feedback project project_fingerprint scanner].freeze
+
  def vulnerability_details_json(vulnerability, pipeline)
    vulnerability_details(vulnerability, pipeline).to_json
  end
@@ -36,9 +38,10 @@ module VulnerabilitiesHelper
  def create_jira_issue_url_for(vulnerability)
    return unless vulnerability.project.jira_vulnerabilities_integration_enabled?

-    summary = _('Investigate vulnerability: %{title}') % { title: vulnerability.title }
+    decorated_vulnerability = vulnerability.present
+    summary = _('Investigate vulnerability: %{title}') % { title: decorated_vulnerability.title }
    description = ApplicationController.render(template: 'vulnerabilities/jira_issue_description.md.erb',
-                                               locals: { vulnerability: vulnerability.present })
+                                               locals: { vulnerability: decorated_vulnerability })

    vulnerability.project.jira_service.new_issue_url_with_predefined_fields(summary, description)
  end
@@ -59,28 +62,7 @@ module VulnerabilitiesHelper
  end

  def vulnerability_finding_data(vulnerability)
-    finding = Vulnerabilities::FindingSerializer.new(current_user: current_user).represent(vulnerability.finding)
-
-    data = finding.slice(
-      :description,
-      :identifiers,
-      :links,
-      :location,
-      :name,
-      :issue_feedback,
-      :merge_request_feedback,
-      :project,
-      :project_fingerprint,
-      :remediations,
-      :evidence,
-      :scanner,
-      :solution,
-      :request,
-      :response,
-      :evidence_source,
-      :supporting_messages,
-      :assets
-    )
+    data = Vulnerabilities::FindingSerializer.new(current_user: current_user).represent(vulnerability.finding, only: FINDING_FIELDS)

    if data[:location]['file']
      branch = vulnerability.finding.pipelines&.last&.sha || vulnerability.project.default_branch

--- a/ee/app/presenters/vulnerabilities/finding_presenter.rb
+++ b/ee/app/presenters/vulnerabilities/finding_presenter.rb
@@ -4,6 +4,10 @@ module Vulnerabilities
  class FindingPresenter < Gitlab::View::Presenter::Delegated
    presents :finding

+    def title
+      name
+    end
+
    def blob_path
      return '' unless sha.present?
      return '' unless location.present? && location['file'].present?

--- a/ee/app/serializers/vulnerabilities/finding_entity.rb
+++ b/ee/app/serializers/vulnerabilities/finding_entity.rb
@@ -2,11 +2,15 @@

 class Vulnerabilities::FindingEntity < Grape::Entity
  include RequestAwareEntity
+  include VulnerabilitiesHelper

  expose :id, :report_type, :name, :severity, :confidence
  expose :scanner, using: Vulnerabilities::ScannerEntity
  expose :identifiers, using: Vulnerabilities::IdentifierEntity
  expose :project_fingerprint
+  expose :create_jira_issue_url do |occurrence|
+    create_jira_issue_url_for(occurrence)
+  end
  expose :create_vulnerability_feedback_issue_path do |occurrence|
    create_vulnerability_feedback_issue_path(occurrence.project)
  end

--- a/ee/app/views/vulnerabilities/jira_issue_description.md.erb
+++ b/ee/app/views/vulnerabilities/jira_issue_description.md.erb
@@ -12,11 +12,11 @@ h3. <%= _("Description") %>:
 <% if vulnerability.confidence.present? %>
 * <%= _("Confidence") %>: <%= vulnerability.confidence %>
 <% end %>
-<% if vulnerability.try(:file) %>
-* <%= _("Location") %>: [<%= vulnerability.location_text %>|<%= vulnerability.location_link %>]
+<% if vulnerability.try(:location_text) && vulnerability.try(:location_link) %>
+* <%= _("Location") %>: [<%= vulnerability.try(:location_text) %>|<%= vulnerability.try(:location_link) %>]
 <% end %>

-<% if vulnerability.solution.present? %>
+<% if vulnerability.solution.present? && vulnerability.is_a?(Vulnerability) %>
 ### <%= _("Solution") %>:

 <%= _("See vulnerability %{vulnerability_link} for any Solution details.".html_safe) % { vulnerability_link: "[#{vulnerability.id}|#{vulnerability_url(vulnerability)}]" } %>
@@ -59,17 +59,17 @@ h3. <%= _("Scanner") %>:
 * <%= _("Name") %>: <%= vulnerability.scanner[:name] %>
 <% end %>
 <% if vulnerability.scan.present? %>
-<% if vulnerability.scan[:type].present? %>
-* <%= _("Type") %>: <%= vulnerability.scan[:type] %>
+<% if vulnerability.scan.type.present? %>
+* <%= _("Type") %>: <%= vulnerability.scan.type %>
 <% end %>
-<% if vulnerability.scan[:status].present? %>
-* <%= _("Status") %>: <%= vulnerability.scan[:status] %>
+<% if vulnerability.scan.status.present? %>
+* <%= _("Status") %>: <%= vulnerability.scan.status %>
 <% end %>
-<% if vulnerability.scan[:start_time].present? %>
-* <%= _("Start Time") %>: <%= vulnerability.scan[:start_time] %>
+<% if vulnerability.scan.start_time.present? %>
+* <%= _("Start Time") %>: <%= vulnerability.scan.start_time %>
 <% end %>
-<% if vulnerability.scan[:end_time].present? %>
-* <%= _("End Time") %>: <%= vulnerability.scan[:end_time] %>
+<% if vulnerability.scan.end_time.present? %>
+* <%= _("End Time") %>: <%= vulnerability.scan.end_time %>
 <% end %>
 <% end %>
 <% end %>
--- a/ee/spec/helpers/vulnerabilities_helper_spec.rb
+++ b/ee/spec/helpers/vulnerabilities_helper_spec.rb
@@ -41,6 +41,8 @@ RSpec.describe VulnerabilitiesHelper do
                    :solution)
    end

+    let(:desired_serializer_fields) { %i[metadata identifiers name issue_feedback merge_request_feedback project project_fingerprint scanner] }
+
    before do
      vulnerability_serializer_stub = instance_double("VulnerabilitySerializer")
      expect(VulnerabilitySerializer).to receive(:new).and_return(vulnerability_serializer_stub)
@@ -48,7 +50,7 @@ RSpec.describe VulnerabilitiesHelper do

      finding_serializer_stub = instance_double("Vulnerabilities::FindingSerializer")
      expect(Vulnerabilities::FindingSerializer).to receive(:new).and_return(finding_serializer_stub)
-      expect(finding_serializer_stub).to receive(:represent).with(finding).and_return(finding_serializer_hash)
+      expect(finding_serializer_stub).to receive(:represent).with(finding, only: desired_serializer_fields).and_return(finding_serializer_hash)
    end

    around do |example|
@@ -227,7 +229,7 @@ RSpec.describe VulnerabilitiesHelper do
    subject { helper.vulnerability_finding_data(vulnerability) }

    it 'returns finding information' do
-      expect(subject).to match(
+      expect(subject.to_h).to match(
        description: finding.description,
        identifiers: kind_of(Array),
        issue_feedback: anything,

--- a/ee/spec/presenters/vulnerabilities/finding_presenter_spec.rb
+++ b/ee/spec/presenters/vulnerabilities/finding_presenter_spec.rb
@@ -6,6 +6,12 @@ RSpec.describe Vulnerabilities::FindingPresenter do
  let(:presenter) { described_class.new(occurrence) }
  let(:occurrence) { build_stubbed(:vulnerabilities_finding) }

+  describe '#title' do
+    subject { presenter.title }
+
+    it { is_expected.to eq occurrence.name }
+  end
+
  describe '#blob_path' do
    subject { presenter.blob_path }


--- a/ee/spec/serializers/vulnerabilities/finding_entity_spec.rb
+++ b/ee/spec/serializers/vulnerabilities/finding_entity_spec.rb
@@ -4,7 +4,7 @@ require 'spec_helper'

 RSpec.describe Vulnerabilities::FindingEntity do
  let_it_be(:user) { build(:user) }
-  let_it_be(:project) { build(:project) }
+  let_it_be_with_refind(:project) { create(:project) }

  let(:scanner) { build(:vulnerabilities_scanner, project: project) }

@@ -67,6 +67,7 @@ RSpec.describe Vulnerabilities::FindingEntity do
      end

      it 'does not contain vulnerability feedback paths' do
+        expect(subject[:create_jira_issue_url]).to be_falsey
        expect(subject[:create_vulnerability_feedback_issue_path]).to be_falsey
        expect(subject[:create_vulnerability_feedback_merge_request_path]).to be_falsey
        expect(subject[:create_vulnerability_feedback_dismissal_path]).to be_falsey
@@ -78,6 +79,10 @@ RSpec.describe Vulnerabilities::FindingEntity do
        project.add_developer(user)
      end

+      it 'does not contain create jira issue path' do
+        expect(subject[:create_jira_issue_url]).to be_falsey
+      end
+
      it 'contains vulnerability feedback dismissal path' do
        expect(subject).to include(:create_vulnerability_feedback_dismissal_path)
      end
@@ -90,9 +95,28 @@ RSpec.describe Vulnerabilities::FindingEntity do
        expect(subject).to include(:create_vulnerability_feedback_merge_request_path)
      end

+      context 'when jira service is configured' do
+        let_it_be(:jira_service) { create(:jira_service, project: project, issues_enabled: true, project_key: 'FE', vulnerabilities_enabled: true, vulnerabilities_issuetype: '10001') }
+
+        before do
+          stub_licensed_features(jira_vulnerabilities_integration: true)
+          allow_next_found_instance_of(JiraService) do |jira|
+            allow(jira).to receive(:jira_project_id).and_return('11223')
+          end
+        end
+
+        it 'does contains create jira issue path' do
+          expect(subject[:create_jira_issue_url]).to be_present
+        end
+      end
+
      context 'when disallowed to create issue' do
        let(:project) { create(:project, issues_access_level: ProjectFeature::DISABLED) }

+        it 'does not contain create jira issue path' do
+          expect(subject[:create_jira_issue_url]).to be_falsey
+        end
+
        it 'does not contain vulnerability feedback issue path' do
          expect(subject[:create_vulnerability_feedback_issue_path]).to be_falsey
        end
@@ -109,6 +133,10 @@ RSpec.describe Vulnerabilities::FindingEntity do
      context 'when disallowed to create merge_request' do
        let(:project) { create(:project, merge_requests_access_level: ProjectFeature::DISABLED) }

+        it 'does not contain create jira issue path' do
+          expect(subject[:create_jira_issue_url]).to be_falsey
+        end
+
        it 'does not contain vulnerability feedback merge_request path' do
          expect(subject[:create_vulnerability_feedback_merge_request_path]).to be_falsey
        end