Merge branch '34564-get-issue-links-of-a-vulnerability' into 'master'

API endpoint to get related Issues of a Vulnerability

See merge request gitlab-org/gitlab!19877

ee/app/models/vulnerability.rb

@@ -24,7 +24,12 @@ class Vulnerability < ApplicationRecord
 
   has_many :findings, class_name: 'Vulnerabilities::Occurrence', inverse_of: :vulnerability
   has_many :issue_links, class_name: 'Vulnerabilities::IssueLink', inverse_of: :vulnerability
-  has_many :related_issues, through: :issue_links, source: :issue
+  has_many :related_issues, through: :issue_links, source: :issue do
+    def with_vulnerability_links
+      select('issues.*, vulnerability_issue_links.id AS vulnerability_link_id, '\
+             'vulnerability_issue_links.link_type AS vulnerability_link_type')
+    end
+  end
 
   enum state: { opened: 1, closed: 2, resolved: 3 }
   enum severity: Vulnerabilities::Occurrence::SEVERITY_LEVELS, _prefix: :severity

ee/lib/api/helpers/vulnerabilities_helpers.rb

+# frozen_string_literal: true
+
+module API
+  module Helpers
+    module VulnerabilitiesHelpers
+      def find_and_authorize_vulnerability!(action)
+        find_vulnerability!.tap do |vulnerability|
+          authorize! action, vulnerability.project
+        end
+      end
+    end
+  end
+end

ee/lib/api/helpers/vulnerabilities_hooks.rb

+# frozen_string_literal: true
+
+module API
+  module Helpers
+    module VulnerabilitiesHooks
+      extend ActiveSupport::Concern
+
+      included do
+        before do
+          not_found! unless Feature.enabled?(:first_class_vulnerabilities)
+
+          authenticate!
+        end
+      end
+    end
+  end
+end

ee/lib/api/vulnerabilities.rb

@@ -2,8 +2,11 @@
 
 module API
   class Vulnerabilities < Grape::API
+    include ::API::Helpers::VulnerabilitiesHooks
     include PaginationParams
 
+    helpers ::API::Helpers::VulnerabilitiesHelpers
+
     helpers do
       def vulnerabilities_by(project)
         Security::VulnerabilitiesFinder.new(project).execute
@@ -17,12 +20,6 @@ module API
         authorize! action, vulnerability.project
       end
 
-      def find_and_authorize_vulnerability!(action)
-        find_vulnerability!.tap do |vulnerability|
-          authorize_vulnerability!(vulnerability, action)
-        end
-      end
-
       def render_vulnerability(vulnerability)
         if vulnerability.valid?
           present vulnerability, with: EE::API::Entities::Vulnerability
@@ -32,12 +29,6 @@ module API
       end
     end
 
-    before do
-      not_found! unless Feature.enabled?(:first_class_vulnerabilities)
-
-      authenticate!
-    end
-
     params do
       requires :id, type: String, desc: 'The ID of a vulnerability'
     end

ee/lib/api/vulnerability_issue_links.rb

+# frozen_string_literal: true
+
+module API
+  class VulnerabilityIssueLinks < Grape::API
+    include ::API::Helpers::VulnerabilitiesHooks
+
+    helpers ::API::Helpers::VulnerabilitiesHelpers
+
+    helpers do
+      def find_vulnerability!
+        Vulnerability.find(params[:id])
+      end
+    end
+
+    params do
+      requires :id, type: Integer, desc: 'The ID of a vulnerability'
+    end
+    resource :vulnerabilities do
+      desc 'Get related issues for a vulnerability' do
+        success EE::API::Entities::VulnerabilityRelatedIssue
+      end
+      get ':id/issue_links' do
+        vulnerability = find_and_authorize_vulnerability!(:read_vulnerability)
+
+        present vulnerability
+                  .related_issues
+                  .with_api_entity_associations
+                  .with_vulnerability_links,
+                with: EE::API::Entities::VulnerabilityRelatedIssue
+      end
+    end
+  end
+end

ee/lib/ee/api/api.rb

@@ -41,6 +41,7 @@ module EE
         mount ::API::ProjectApprovals
         mount ::API::Vulnerabilities
         mount ::API::VulnerabilityFindings
+        mount ::API::VulnerabilityIssueLinks
         mount ::API::MergeRequestApprovals
         mount ::API::MergeRequestApprovalRules
         mount ::API::ProjectAliases

ee/lib/ee/api/entities.rb

@@ -938,6 +938,14 @@ module EE
         expose :resolved_at
         expose :closed_at
       end
+
+      class VulnerabilityRelatedIssue < ::API::Entities::IssueBasic
+        # vulnerability_link_* attributes come from joined Vulnerabilities::IssueLink record
+        expose :vulnerability_link_id
+        expose :vulnerability_link_type do |related_issue|
+          ::Vulnerabilities::IssueLink.link_types.key(related_issue.vulnerability_link_type)
+        end
+      end
     end
   end
 end

ee/spec/factories/vulnerabilities.rb

@@ -34,5 +34,13 @@ FactoryBot.define do
           project: vulnerability.project)
       end
     end
+
+    trait :with_issue_links do
+      after(:create) do |vulnerability|
+        create_list(:issue, 2).each do |issue|
+          create(:vulnerabilities_issue_link, vulnerability: vulnerability, issue: issue)
+        end
+      end
+    end
   end
 end

ee/spec/fixtures/api/schemas/public_api/v4/vulnerability_related_issue.json

+{
+  "type": "object",
+  "allOf": [
+    { "$ref": "../../../../../../../spec/fixtures/api/schemas/public_api/v4/issue.json" },
+    {
+      "required": ["vulnerability_link_id", "vulnerability_link_type"],
+      "properties": {
+        "vulnerability_link_id": { "type": "integer" },
+        "vulnerability_link_type": {
+          "type": "string",
+          "enum": ["created", "related"]
+        }
+      }
+    }
+  ]
+}

ee/spec/fixtures/api/schemas/public_api/v4/vulnerability_related_issues.json

+{
+  "type": "array",
+  "items": { "$ref": "vulnerability_related_issue.json" }
+}

ee/spec/requests/api/vulnerabilities_spec.rb

@@ -12,42 +12,6 @@ describe API::Vulnerabilities do
   let_it_be(:user) { create(:user) }
   let(:project_vulnerabilities_path) { "/projects/#{project.id}/vulnerabilities" }
 
-  shared_examples 'forbids actions on vulnerability in case of disabled features' do
-    context 'when "first-class vulnerabilities" feature is disabled' do
-      before do
-        stub_feature_flags(first_class_vulnerabilities: false)
-      end
-
-      it 'responds with "not found"' do
-        subject
-
-        expect(response).to have_gitlab_http_status(404)
-      end
-    end
-
-    context 'when security dashboard feature is not available' do
-      before do
-        stub_licensed_features(security_dashboard: false)
-      end
-
-      it 'responds with 403 Forbidden' do
-        subject
-
-        expect(response).to have_gitlab_http_status(403)
-      end
-    end
-  end
-
-  shared_examples 'responds with "not found" for an unknown vulnerability ID' do
-    let(:vulnerability_id) { 0 }
-
-    it do
-      subject
-
-      expect(response).to have_gitlab_http_status(404)
-    end
-  end
-
   describe 'GET /projects/:id/vulnerabilities' do
     let_it_be(:project) { create(:project, :with_vulnerabilities) }
 

ee/spec/requests/api/vulnerability_issue_links_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe API::VulnerabilityIssueLinks do
+  include AccessMatchersForRequest
+
+  before do
+    stub_licensed_features(security_dashboard: true)
+  end
+
+  let_it_be(:project) { create(:project) }
+  let_it_be(:user) { create(:user) }
+
+  describe 'GET /vulnerabilities/:id/issue_links' do
+    let_it_be(:vulnerability) { create(:vulnerability, :with_issue_links, project: project) }
+    let_it_be(:vulnerability_id) { vulnerability.id }
+    let(:vulnerability_issue_links_path) { "/vulnerabilities/#{vulnerability_id}/issue_links" }
+
+    subject(:get_issue_links) { get api(vulnerability_issue_links_path, user) }
+
+    context 'with an authorized user with proper permissions' do
+      before do
+        project.add_developer(user)
+      end
+
+      it 'gets the list of vulnerabilities' do
+        get_issue_links
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(response).to match_response_schema('public_api/v4/vulnerability_related_issues', dir: 'ee')
+        expect(json_response.map { |link| link['id'] }).to match_array(vulnerability.related_issues.map(&:id))
+        expect(json_response.map { |link| link['vulnerability_link_id'] }).to(
+          match_array(vulnerability.issue_links.map(&:id)))
+        expect(json_response.map { |link| link['vulnerability_link_type'] }).to all eq 'related'
+      end
+
+      it_behaves_like 'responds with "not found" for an unknown vulnerability ID'
+
+      it_behaves_like 'forbids actions on vulnerability in case of disabled features'
+    end
+
+    describe 'permissions' do
+      it { expect { get_issue_links }.to be_allowed_for(:admin) }
+      it { expect { get_issue_links }.to be_allowed_for(:owner).of(project) }
+      it { expect { get_issue_links }.to be_allowed_for(:maintainer).of(project) }
+      it { expect { get_issue_links }.to be_allowed_for(:developer).of(project) }
+      it { expect { get_issue_links }.to be_allowed_for(:auditor) }
+
+      it { expect { get_issue_links }.to be_denied_for(:reporter).of(project) }
+      it { expect { get_issue_links }.to be_denied_for(:guest).of(project) }
+      it { expect { get_issue_links }.to be_denied_for(:anonymous) }
+    end
+  end
+end

ee/spec/support/shared_examples/requests/api/vulnerabilities_shared_examples.rb

+# frozen_string_literal: true
+
+shared_examples 'forbids actions on vulnerability in case of disabled features' do
+  context 'when "first-class vulnerabilities" feature is disabled' do
+    before do
+      stub_feature_flags(first_class_vulnerabilities: false)
+    end
+
+    it 'responds with "not found"' do
+      subject
+
+      expect(response).to have_gitlab_http_status(404)
+    end
+  end
+
+  context 'when security dashboard feature is not available' do
+    before do
+      stub_licensed_features(security_dashboard: false)
+    end
+
+    it 'responds with 403 Forbidden' do
+      subject
+
+      expect(response).to have_gitlab_http_status(403)
+    end
+  end
+end
+
+shared_examples 'responds with "not found" for an unknown vulnerability ID' do
+  let(:vulnerability_id) { 0 }
+
+  it do
+    subject
+
+    expect(response).to have_gitlab_http_status(404)
+  end
+end