Commit bbef7363 authored by Aleksandr Soborov's avatar Aleksandr Soborov Committed by Sanad Liaquat

Added a Secure E2E test for auto-remediation

Updated selectors where necessary.

Updated fixture and tests that have changed results.
parent 673ab5b2
...@@ -102,6 +102,7 @@ export default { ...@@ -102,6 +102,7 @@ export default {
v-if="actionButtons.length > 1" v-if="actionButtons.length > 1"
:buttons="actionButtons" :buttons="actionButtons"
class="js-split-button" class="js-split-button"
data-qa-selector="resolve_split_button"
@createMergeRequest="$emit('createMergeRequest')" @createMergeRequest="$emit('createMergeRequest')"
@createNewIssue="$emit('createNewIssue')" @createNewIssue="$emit('createNewIssue')"
@downloadPatch="$emit('downloadPatch')" @downloadPatch="$emit('downloadPatch')"
......
...@@ -72,9 +72,107 @@ ...@@ -72,9 +72,107 @@
"url": "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b" "url": "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b"
} }
] ]
},
{
"category": "dependency_scanning",
"name": "Regular Expression Denial of Service",
"message": "Regular Expression Denial of Service in debug",
"description": "The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.",
"cve": "yarn.lock:debug:gemnasium:37283ed4-0380-40d7-ada7-2d994afcc62a",
"severity": "Unknown",
"solution": "Upgrade to latest versions.",
"scanner": {
"id": "gemnasium",
"name": "Gemnasium"
},
"location": {
"file": "yarn.lock",
"dependency": {
"package": {
"name": "debug"
},
"version": "1.0.5"
}
},
"identifiers": [
{
"type": "gemnasium",
"name": "Gemnasium-37283ed4-0380-40d7-ada7-2d994afcc62a",
"value": "37283ed4-0380-40d7-ada7-2d994afcc62a",
"url": "https://deps.sec.gitlab.com/packages/npm/debug/versions/1.0.5/advisories"
}
],
"links": [
{
"url": "https://github.com/visionmedia/debug/issues/501"
},
{
"url": "https://github.com/visionmedia/debug/pull/504"
},
{
"url": "https://nodesecurity.io/advisories/534"
}
]
},
{
"category": "dependency_scanning",
"name": "Authentication bypass via incorrect DOM traversal and canonicalization",
"message": "Authentication bypass via incorrect DOM traversal and canonicalization in saml2-js",
"description": "Some XML DOM traversal and canonicalization APIs may be inconsistent in handling of comments within XML nodes. Incorrect use of these APIs by some SAML libraries results in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment therefore has no impact on the signature on the SAML message.\r\n\r\nA remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider.",
"cve": "yarn.lock:saml2-js:gemnasium:9952e574-7b5b-46fa-a270-aeb694198a98",
"severity": "Unknown",
"solution": "Upgrade to fixed version.\r\n",
"scanner": {
"id": "gemnasium",
"name": "Gemnasium"
},
"location": {
"file": "yarn.lock",
"dependency": {
"package": {
"name": "saml2-js"
},
"version": "1.8.1"
}
},
"identifiers": [
{
"type": "gemnasium",
"name": "Gemnasium-9952e574-7b5b-46fa-a270-aeb694198a98",
"value": "9952e574-7b5b-46fa-a270-aeb694198a98",
"url": "https://deps.sec.gitlab.com/packages/npm/saml2-js/versions/1.8.1/advisories"
},
{
"type": "cve",
"name": "CVE-2017-11429",
"value": "CVE-2017-11429",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11429"
}
],
"links": [
{
"url": "https://github.com/Clever/saml2/commit/3546cb61fd541f219abda364c5b919633609ef3d#diff-af730f9f738de1c9ad87596df3f6de84R279"
},
{
"url": "https://github.com/Clever/saml2/issues/127"
},
{
"url": "https://www.kb.cert.org/vuls/id/475445"
}
]
}
],
"remediations": [
{
"fixes": [
{
"cve": "yarn.lock:saml2-js:gemnasium:9952e574-7b5b-46fa-a270-aeb694198a98"
}
],
"summary": "Upgrade saml2-js",
"diff": ""
} }
], ],
"remediations": [],
"dependency_files": [ "dependency_files": [
{ {
"path": "yarn.lock", "path": "yarn.lock",
...@@ -1298,6 +1396,12 @@ ...@@ -1298,6 +1396,12 @@
}, },
"version": "1.0.0" "version": "1.0.0"
}, },
{
"package": {
"name": "async"
},
"version": "0.2.10"
},
{ {
"package": { "package": {
"name": "async" "name": "async"
...@@ -2318,6 +2422,12 @@ ...@@ -2318,6 +2422,12 @@
}, },
"version": "0.1.4" "version": "0.1.4"
}, },
{
"package": {
"name": "debug"
},
"version": "1.0.5"
},
{ {
"package": { "package": {
"name": "debug" "name": "debug"
...@@ -2612,6 +2722,12 @@ ...@@ -2612,6 +2722,12 @@
}, },
"version": "1.1.1" "version": "1.1.1"
}, },
{
"package": {
"name": "ejs"
},
"version": "0.8.8"
},
{ {
"package": { "package": {
"name": "electron-to-chromium" "name": "electron-to-chromium"
...@@ -4898,6 +5014,12 @@ ...@@ -4898,6 +5014,12 @@
}, },
"version": "2.3.2" "version": "2.3.2"
}, },
{
"package": {
"name": "node-forge"
},
"version": "0.2.24"
},
{ {
"package": { "package": {
"name": "node-forge" "name": "node-forge"
...@@ -6506,6 +6628,12 @@ ...@@ -6506,6 +6628,12 @@
}, },
"version": "2.1.2" "version": "2.1.2"
}, },
{
"package": {
"name": "saml2-js"
},
"version": "1.8.1"
},
{ {
"package": { "package": {
"name": "sane" "name": "sane"
...@@ -7244,6 +7372,18 @@ ...@@ -7244,6 +7372,18 @@
}, },
"version": "3.5.6" "version": "3.5.6"
}, },
{
"package": {
"name": "underscore"
},
"version": "1.6.0"
},
{
"package": {
"name": "underscore"
},
"version": "1.9.1"
},
{ {
"package": { "package": {
"name": "unicode-canonical-property-names-ecmascript" "name": "unicode-canonical-property-names-ecmascript"
...@@ -7778,18 +7918,72 @@ ...@@ -7778,18 +7918,72 @@
}, },
"version": "0.1.0" "version": "0.1.0"
}, },
{
"package": {
"name": "xml-crypto"
},
"version": "0.8.5"
},
{
"package": {
"name": "xml-encryption"
},
"version": "0.7.4"
},
{ {
"package": { "package": {
"name": "xml-name-validator" "name": "xml-name-validator"
}, },
"version": "3.0.0" "version": "3.0.0"
}, },
{
"package": {
"name": "xml2js"
},
"version": "0.4.19"
},
{
"package": {
"name": "xmlbuilder"
},
"version": "2.1.0"
},
{
"package": {
"name": "xmlbuilder"
},
"version": "9.0.7"
},
{ {
"package": { "package": {
"name": "xmlchars" "name": "xmlchars"
}, },
"version": "1.3.1" "version": "1.3.1"
}, },
{
"package": {
"name": "xmldom"
},
"version": "0.1.19"
},
{
"package": {
"name": "xmldom"
},
"version": "0.1.27"
},
{
"package": {
"name": "xpath"
},
"version": "0.0.5"
},
{
"package": {
"name": "xpath.js"
},
"version": "1.1.0"
},
{ {
"package": { "package": {
"name": "xregexp" "name": "xregexp"
......
This source diff could not be displayed because it is too large. You can view the blob instead.
...@@ -41,6 +41,14 @@ module QA ...@@ -41,6 +41,14 @@ module QA
element :vulnerability_report_grouped element :vulnerability_report_grouped
end end
view 'app/assets/javascripts/reports/components/report_section.vue' do
element :expand_report_button
end
view 'ee/app/assets/javascripts/vue_shared/security_reports/components/modal_footer.vue' do
element :resolve_split_button
end
def start_review def start_review
click_element :start_review click_element :start_review
end end
...@@ -78,6 +86,22 @@ module QA ...@@ -78,6 +86,22 @@ module QA
end end
end end
def expand_vulnerability_report
click_element :expand_report_button
end
def click_vulnerability(name)
within_element :vulnerability_report_grouped do
click_on name
end
end
def resolve_vulnerability_with_mr(name)
expand_vulnerability_report
click_vulnerability(name)
click_element :resolve_split_button
end
def has_vulnerability_report?(timeout: 60) def has_vulnerability_report?(timeout: 60)
wait(reload: true, max: timeout, interval: 1) do wait(reload: true, max: timeout, interval: 1) do
finished_loading? finished_loading?
......
...@@ -51,7 +51,17 @@ module QA ...@@ -51,7 +51,17 @@ module QA
it 'displays the Security report in the merge request' do it 'displays the Security report in the merge request' do
Page::MergeRequest::Show.perform do |mergerequest| Page::MergeRequest::Show.perform do |mergerequest|
expect(mergerequest).to have_vulnerability_report(timeout: 60) expect(mergerequest).to have_vulnerability_report(timeout: 60)
expect(mergerequest).to have_detected_vulnerability_count_of "2" expect(mergerequest).to have_detected_vulnerability_count_of "4"
end
end
it 'can create an auto-remediation MR' do
Page::MergeRequest::Show.perform do |mergerequest|
vuln_name = "Authentication bypass via incorrect DOM traversal and canonicalization in saml2-js"
expect(mergerequest).to have_vulnerability_report(timeout: 60)
mergerequest.resolve_vulnerability_with_mr vuln_name
expect(mergerequest).to have_title vuln_name
end end
end end
end end
......
# frozen_string_literal: true # frozen_string_literal: true
require 'pathname' require 'pathname'
NUMBER_OF_DEPENDENCIES_IN_FIXTURE = 1309
module QA module QA
context 'Secure', :docker do context 'Secure', :docker do
...@@ -57,7 +58,7 @@ module QA ...@@ -57,7 +58,7 @@ module QA
Page::Project::Pipeline::Show.perform do |pipeline| Page::Project::Pipeline::Show.perform do |pipeline|
pipeline.click_on_security pipeline.click_on_security
expect(pipeline).to have_dependency_report expect(pipeline).to have_dependency_report
expect(pipeline).to have_content("Dependency scanning detected 2") expect(pipeline).to have_content("Dependency scanning detected 4")
pipeline.expand_dependency_report pipeline.expand_dependency_report
expect(pipeline).to have_content("jQuery before 3.4.0") expect(pipeline).to have_content("jQuery before 3.4.0")
end end
...@@ -87,7 +88,7 @@ module QA ...@@ -87,7 +88,7 @@ module QA
Page::Project::Menu.perform(&:click_on_dependency_list) Page::Project::Menu.perform(&:click_on_dependency_list)
EE::Page::Project::Secure::DependencyList.perform do |page| EE::Page::Project::Secure::DependencyList.perform do |page|
expect(page).to have_dependency_count_of "1293" expect(page).to have_dependency_count_of NUMBER_OF_DEPENDENCIES_IN_FIXTURE
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment