Sort vuln by severity and confidence for dashboard and pipeline

Added tests Updated existing test

Sort vuln by severity and confidence for dashboard and pipeline
Added tests Updated existing test
a744cde1 · Can Eldem · Rémy Coutable · c4750b40 · a744cde1 · a744cde1
Commit a744cde1 authored Oct 18, 2019 by Can Eldem Committed by Rémy Coutable Oct 18, 2019
6 changed files
--- a/changelogs/unreleased/sort-severity-then-confidence.yml
+++ b/changelogs/unreleased/sort-severity-then-confidence.yml
+---
+title: Sort vulnerabilities by severity then confidence for dashboard and pipeline views
+merge_request: 18675
+author:
+type: changed
--- a/ee/app/finders/security/pipeline_vulnerabilities_finder.rb
+++ b/ee/app/finders/security/pipeline_vulnerabilities_finder.rb
@@ -24,7 +24,11 @@ module Security
    end

    def execute
-      pipeline_reports&.each_with_object([]) do |(type, report), occurrences|
+      reports = pipeline_reports
+
+      return [] if reports.nil?
+
+      occurrences = reports.each_with_object([]) do |(type, report), occurrences|
        next unless requested_type?(type)

        raise ParseError, 'JSON parsing failed' if report.error.is_a?(Gitlab::Ci::Parsers::Security::Common::SecurityReportParserError)
@@ -34,6 +38,8 @@ module Security

        occurrences.concat(filtered_occurrences)
      end
+
+      occurrences.sort_by { |x| [x.severity, x.confidence] }
    end

    private

--- a/ee/app/models/vulnerabilities/occurrence.rb
+++ b/ee/app/models/vulnerabilities/occurrence.rb
@@ -77,7 +77,7 @@ module Vulnerabilities
    validates :raw_metadata, presence: true

    scope :report_type, -> (type) { where(report_type: report_types[type]) }
-    scope :ordered, -> { order("severity desc", :id) }
+    scope :ordered, -> { order(severity: :desc, confidence: :desc, id: :asc) }

    scope :by_report_types, -> (values) { where(report_type: values) }
    scope :by_projects, -> (values) { where(project_id: values) }

--- a/ee/spec/finders/security/pipeline_vulnerabilities_finder_spec.rb
+++ b/ee/spec/finders/security/pipeline_vulnerabilities_finder_spec.rb
@@ -52,6 +52,20 @@ describe Security::PipelineVulnerabilitiesFinder do

    subject { described_class.new(pipeline: pipeline, params: params).execute }

+    context 'by order' do
+      let(:params) { { report_type: %w[sast] } }
+      let!(:occurrence1) { build(:vulnerabilities_occurrence, confidence: Vulnerabilities::Occurrence::CONFIDENCE_LEVELS[:high],   severity: Vulnerabilities::Occurrence::SEVERITY_LEVELS[:high]) }
+      let!(:occurrence2) { build(:vulnerabilities_occurrence, confidence: Vulnerabilities::Occurrence::CONFIDENCE_LEVELS[:medium], severity: Vulnerabilities::Occurrence::SEVERITY_LEVELS[:critical]) }
+      let!(:occurrence3) { build(:vulnerabilities_occurrence, confidence: Vulnerabilities::Occurrence::CONFIDENCE_LEVELS[:high],   severity: Vulnerabilities::Occurrence::SEVERITY_LEVELS[:critical]) }
+      let!(:res) { [occurrence3, occurrence2, occurrence1] }
+
+      it 'orders by severity and confidence' do
+        allow_any_instance_of(described_class).to receive(:filter).and_return(res)
+
+        expect(subject).to eq([occurrence3, occurrence2, occurrence1])
+      end
+    end
+
    context 'by report type' do
      context 'when sast' do
        let(:params) { { report_type: %w[sast] } }

--- a/ee/spec/models/vulnerabilities/occurrence_spec.rb
+++ b/ee/spec/models/vulnerabilities/occurrence_spec.rb
@@ -61,6 +61,16 @@ describe Vulnerabilities::Occurrence do
    end
  end

+  context 'order' do
+    let!(:occurrence1) { create(:vulnerabilities_occurrence, confidence: described_class::CONFIDENCE_LEVELS[:high], severity:   described_class::SEVERITY_LEVELS[:high]) }
+    let!(:occurrence2) { create(:vulnerabilities_occurrence, confidence: described_class::CONFIDENCE_LEVELS[:medium], severity: described_class::SEVERITY_LEVELS[:critical]) }
+    let!(:occurrence3) { create(:vulnerabilities_occurrence, confidence: described_class::CONFIDENCE_LEVELS[:high], severity:   described_class::SEVERITY_LEVELS[:critical]) }
+
+    it 'orders by severity and confidence' do
+      expect(described_class.all.ordered).to eq([occurrence3, occurrence2, occurrence1])
+    end
+  end
+
  describe '.report_type' do
    let(:report_type) { :sast }


--- a/ee/spec/support/shared_examples/requests/api/vulnerabilities_shared_examples.rb
+++ b/ee/spec/support/shared_examples/requests/api/vulnerabilities_shared_examples.rb
@@ -125,7 +125,7 @@ shared_examples 'getting list of vulnerability findings' do

        # occurrences are implicitly sorted by Security::MergeReportsService,
        # occurrences order differs from what is present in fixture file
-        expect(json_response.first['name']).to eq 'ECB mode is insecure'
+        expect(json_response.first['name']).to eq 'Consider possible security implications associated with Popen module.'
      end

      it 'returns vulnerabilities with dependency_scanning report_type' do