Merge branch '8654-add_package_name_to_dependency_scanning_report' into 'master'

Add package name to dependency scanning reports See merge request gitlab-org/gitlab-ee!8694

Merge branch '8654-add_package_name_to_dependency_scanning_report' into 'master'
Add package name to dependency scanning reports See merge request gitlab-org/gitlab-ee!8694
e7d5727b · Kamil Trzciński · a9a7547b · 1672ec35 · e7d5727b · e7d5727b
Commit e7d5727b authored Dec 07, 2018 by Kamil Trzciński
8 changed files
--- a/ee/lib/gitlab/ci/parsers/security.rb
+++ b/ee/lib/gitlab/ci/parsers/security.rb
@@ -7,8 +7,8 @@ module Gitlab
        ParserNotFoundError = Class.new(StandardError)
        PARSERS = {
-          sast: ::Gitlab::Ci::Parsers::Security::Common,
+          sast: ::Gitlab::Ci::Parsers::Security::Sast,
-          dependency_scanning: ::Gitlab::Ci::Parsers::Security::Common
+          dependency_scanning: ::Gitlab::Ci::Parsers::Security::DependencyScanning
        }.freeze
        def self.fabricate!(file_type)

--- a/ee/lib/gitlab/ci/parsers/security/common.rb
+++ b/ee/lib/gitlab/ci/parsers/security/common.rb
@@ -7,8 +7,6 @@ module Gitlab
        class Common
          SecurityReportParserError = Class.new(StandardError)
-          METADATA_VERSION = '1.2'
          def parse!(json_data, report)
            vulnerabilities = JSON.parse!(json_data)
@@ -41,7 +39,7 @@ module Gitlab
              raw_metadata: data.to_json,
              # Version is hardcoded here untill provided in the report.
              # See https://gitlab.com/gitlab-org/gitlab-ee/issues/8025
-              metadata_version: METADATA_VERSION
+              metadata_version: metadata_version(data)
            )
          end
@@ -80,10 +78,6 @@ module Gitlab
            input.blank? ? 'undefined' : input.downcase
          end
-          def generate_location_fingerprint(location)
-            Digest::SHA1.hexdigest("#{location['file']}:#{location['start_line']}:#{location['end_line']}")
-          end
          def generate_project_fingerprint(compare_key)
            Digest::SHA1.hexdigest(compare_key)
          end

--- a/ee/lib/gitlab/ci/parsers/security/dependency_scanning.rb
+++ b/ee/lib/gitlab/ci/parsers/security/dependency_scanning.rb
+# frozen_string_literal: true
+module Gitlab
+  module Ci
+    module Parsers
+      module Security
+        class DependencyScanning < Common
+          private
+          def metadata_version(vulnerability)
+            '1.3'
+          end
+          def generate_location_fingerprint(location)
+            Digest::SHA1.hexdigest("#{location['file']}:#{location['dependency']['package']['name']}")
+          end
+        end
+      end
+    end
+  end
+end
--- a/ee/lib/gitlab/ci/parsers/security/sast.rb
+++ b/ee/lib/gitlab/ci/parsers/security/sast.rb
+# frozen_string_literal: true
+module Gitlab
+  module Ci
+    module Parsers
+      module Security
+        class Sast < Common
+          private
+          def metadata_version(vulnerability)
+            '1.2'
+          end
+          def generate_location_fingerprint(location)
+            Digest::SHA1.hexdigest("#{location['file']}:#{location['start_line']}:#{location['end_line']}")
+          end
+        end
+      end
+    end
+  end
+end
--- a/ee/spec/lib/gitlab/ci/parsers/security/common_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/security/common_spec.rb
@@ -2,10 +2,11 @@
 require 'spec_helper'
-describe Gitlab::Ci::Parsers::Security::Common do
+describe Gitlab::Ci::Parsers::Security::DependencyScanning do
  describe '#parse!' do
    let(:project) { artifact.project }
    let(:pipeline) { artifact.job.pipeline }
+    let(:artifact) { create(:ee_ci_job_artifact, :dependency_scanning) }
    let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type) }
    let(:parser) { described_class.new }
@@ -15,24 +16,18 @@ describe Gitlab::Ci::Parsers::Security::Common do
      end
    end
-    context 'sast report' do
+    it "parses all identifiers and occurrences" do
-      let(:artifact) { create(:ee_ci_job_artifact, :sast) }
+      expect(report.occurrences.length).to eq(4)
+      expect(report.identifiers.length).to eq(7)
-      it "parses all identifiers and occurrences" do
+      expect(report.scanners.length).to eq(2)
-        expect(report.occurrences.length).to eq(3)
-        expect(report.identifiers.length).to eq(4)
-        expect(report.scanners.length).to eq(3)
-      end
    end
-    context 'dependency_scanning report' do
+    it "generates expected location fingerprint" do
-      let(:artifact) { create(:ee_ci_job_artifact, :dependency_scanning) }
+      expect(report.occurrences.first[:location_fingerprint]).to eq('2773f8cc955346ab1f756b94aa310db8e17c0944')
+    end
-      it "parses all identifiers and occurrences" do
+    it "generates expected metadata_version" do
-        expect(report.occurrences.length).to eq(4)
+      expect(report.occurrences.first[:metadata_version]).to eq('1.3')
-        expect(report.identifiers.length).to eq(7)
-        expect(report.scanners.length).to eq(2)
-      end
    end
  end
 end
--- a/ee/spec/lib/gitlab/ci/parsers/security/sast_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/security/sast_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+describe Gitlab::Ci::Parsers::Security::Sast do
+  describe '#parse!' do
+    let(:project) { artifact.project }
+    let(:pipeline) { artifact.job.pipeline }
+    let(:artifact) { create(:ee_ci_job_artifact, :sast) }
+    let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type) }
+    let(:parser) { described_class.new }
+    before do
+      artifact.each_blob do |blob|
+        parser.parse!(blob, report)
+      end
+    end
+    it "parses all identifiers and occurrences" do
+      expect(report.occurrences.length).to eq(3)
+      expect(report.identifiers.length).to eq(4)
+      expect(report.scanners.length).to eq(3)
+    end
+    it "generates expected location fingerprint" do
+      expect(report.occurrences.first[:location_fingerprint]).to eq('6b6bb283d43cc510d7d1e73e2882b3652cb34bd5')
+    end
+    it "generates expected metadata_version" do
+      expect(report.occurrences.first[:metadata_version]).to eq('1.2')
+    end
+  end
+end
--- a/spec/fixtures/security-reports/feature-branch/gl-dependency-scanning-report.json
+++ b/spec/fixtures/security-reports/feature-branch/gl-dependency-scanning-report.json
@@ -11,7 +11,13 @@
      "name": "Gemnasium"
    },
    "location": {
-      "file": "app/pom.xml"
+      "file": "app/pom.xml",
+      "dependency": {
+        "package": {
+          "name": "io.netty/netty"
+        },
+        "version": "3.9.1.Final"
+      }
    },
    "identifiers": [
      {
@@ -55,7 +61,13 @@
      "name": "Gemnasium"
    },
    "location": {
-      "file": "app/requirements.txt"
+      "file": "app/requirements.txt",
+      "dependency": {
+        "package": {
+          "name": "Django"
+        },
+        "version": "1.11.3"
+      }
    },
    "identifiers": [
      {
@@ -93,7 +105,13 @@
      "name": "Gemnasium"
    },
    "location": {
-      "file": "rails/Gemfile.lock"
+      "file": "rails/Gemfile.lock",
+      "dependency": {
+        "package": {
+          "name": "nokogiri"
+        },
+        "version": "1.8.0"
+      }
    },
    "identifiers": [
      {
@@ -131,7 +149,13 @@
      "name": "bundler-audit"
    },
    "location": {
-      "file": "sast-sample-rails/Gemfile.lock"
+      "file": "sast-sample-rails/Gemfile.lock",
+      "dependency": {
+        "package": {
+          "name": "ffi"
+        },
+        "version": "1.9.18"
+      }
    },
    "identifiers": [
      {

--- a/spec/fixtures/security-reports/master/gl-dependency-scanning-report.json
+++ b/spec/fixtures/security-reports/master/gl-dependency-scanning-report.json
@@ -11,7 +11,13 @@
      "name": "Gemnasium"
    },
    "location": {
-      "file": "app/pom.xml"
+      "file": "app/pom.xml",
+      "dependency": {
+        "package": {
+          "name": "io.netty/netty"
+        },
+        "version": "3.9.1.Final"
+      }
    },
    "identifiers": [
      {
@@ -55,7 +61,13 @@
      "name": "Gemnasium"
    },
    "location": {
-      "file": "app/requirements.txt"
+      "file": "app/requirements.txt",
+      "dependency": {
+        "package": {
+          "name": "Django"
+        },
+        "version": "1.11.3"
+      }
    },
    "identifiers": [
      {
@@ -93,7 +105,13 @@
      "name": "Gemnasium"
    },
    "location": {
-      "file": "rails/Gemfile.lock"
+      "file": "rails/Gemfile.lock",
+      "dependency": {
+        "package": {
+          "name": "nokogiri"
+        },
+        "version": "1.8.0"
+      }
    },
    "identifiers": [
      {
@@ -131,7 +149,13 @@
      "name": "bundler-audit"
    },
    "location": {
-      "file": "sast-sample-rails/Gemfile.lock"
+      "file": "sast-sample-rails/Gemfile.lock",
+      "dependency": {
+        "package": {
+          "name": "ffi"
+        },
+        "version": "1.9.18"
+      }
    },
    "identifiers": [
      {