Merge branch 'hm-security-training-spec' into 'master'

Add security training spec

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/120824



Merged-by: Ramya Authappan <rauthappan@gitlab.com>
Approved-by: John McDonnell <jmcdonnell@gitlab.com>
Approved-by: Ramya Authappan <rauthappan@gitlab.com>
Approved-by: Miguel Rincon <mrincon@gitlab.com>
Reviewed-by: Miguel Rincon <mrincon@gitlab.com>
Reviewed-by: John McDonnell <jmcdonnell@gitlab.com>
Co-authored-by: hmuralidhar <hmuralidhar@gitlab.com>

app/assets/javascripts/security_configuration/components/training_provider_list.vue

@@ -247,6 +247,8 @@ export default {
               :label="__('Training mode')"
               label-position="hidden"
               :disabled="!securityTrainingEnabled"
+              data-qa-selector="security_training_toggle"
+              :data-qa-training-provider="provider.name"
               @change="toggleProvider(provider)"
             />
             <div v-if="$options.TEMP_PROVIDER_LOGOS[provider.name]" class="gl-ml-4">

ee/app/assets/javascripts/vulnerabilities/components/vulnerability_training.vue

@@ -187,9 +187,19 @@ export default {
               role="presentation"
             ></div>
           </span>
-          <span class="gl-font-weight-bold gl-font-base">{{ name }}</span>
+          <span
+            class="gl-font-weight-bold gl-font-base"
+            data-qa-selector="security_training_text"
+            >{{ name }}</span
+          >
         </div>
-        <gl-link :href="url" target="_blank" @click="clickTrainingLink(name, identifier)">
+        <gl-link
+          :href="url"
+          target="_blank"
+          data-qa-selector="security_training_link"
+          :data-qa-training-name="name"
+          @click="clickTrainingLink(name, identifier)"
+        >
           {{ $options.i18n.viewTraining }}
           <gl-icon class="gl-ml-2" name="external-link" :size="12" />
         </gl-link>

qa/qa/ee/fixtures/secure_premade_reports/gl-sast-report.json

@@ -148,6 +148,62 @@
         }
       ]
     },
+    {
+      "id": "7e126e060d3d0b5f0b11506528c82fa40f5d144d85b2460ab01c44c7c9043be7",
+      "category": "sast",
+      "message": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
+      "description": "Detected possible formatted SQL query. Use parameterized queries instead.\n",
+      "cve": "semgrep_id:bandit.B608:304:304",
+      "severity": "Medium",
+      "scanner": {
+        "id": "semgrep",
+        "name": "Semgrep"
+      },
+      "location": {
+        "file": "django/contrib/gis/db/backends/postgis/operations.py",
+        "start_line": 304
+      },
+      "identifiers": [
+        {
+          "type": "semgrep_id",
+          "name": "bandit.B608",
+          "value": "bandit.B608",
+          "url": "https://semgrep.dev/r/gitlab.bandit.B608"
+        },
+        {
+          "type": "cwe",
+          "name": "CWE-89",
+          "value": "89",
+          "url": "https://cwe.mitre.org/data/definitions/89.html"
+        },
+        {
+          "type": "owasp",
+          "name": "A1:2017 - Injection",
+          "value": "A1:2017"
+        },
+        {
+          "type": "bandit_test_id",
+          "name": "Bandit Test ID B608",
+          "value": "B608"
+        }
+      ],
+      "tracking": {
+        "type": "source",
+        "items": [
+          {
+            "file": "django/contrib/gis/db/backends/postgis/operations.py",
+            "line_start": 304,
+            "line_end": 304,
+            "signatures": [
+              {
+                "algorithm": "scope_offset",
+                "value": "django/contrib/gis/db/backends/postgis/operations.py|PostGISOperations[0]|_get_postgis_func[0]:6"
+              }
+            ]
+          }
+        ]
+      }
+    },
     {
       "id": "47f7fccbb39495c68dac599833fa631a5c043025e8a50fc036f86bafde7kl090",
       "category": "sast",
@@ -171,6 +227,12 @@
           "name": "Find Security Bugs-CIPHER_INTEGRITY",
           "value": "CIPHER_INTEGRITY",
           "url": "https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY"
+        },
+        {
+          "type": "cwe",
+          "name": "CWE-353",
+          "value": "353",
+          "url": "https://cwe.mitre.org/data/definitions/353.html"
         }
       ],
       "priority": "Medium",

qa/qa/ee/page/project/secure/security_dashboard.rb

@@ -66,7 +66,7 @@ def export_vulnerabilities_to_csv
             end
 
             def wait_for_vuln_report_to_load
-              wait_until(max_duration: 10, sleep_interval: 2, message: "Vulnerability report not loaded yet") do
+              wait_until(max_duration: 20, sleep_interval: 2, message: "Vulnerability report not loaded yet") do
                 has_element?(:vulnerability_report_header)
               end
             end

qa/qa/ee/page/project/secure/vulnerability_details.rb

@@ -39,6 +39,11 @@ class VulnerabilityDetails < QA::Page::Base
               element :jira_issue_link
             end
 
+            view 'ee/app/assets/javascripts/vulnerabilities/components/vulnerability_training.vue' do
+              element :security_training_text
+              element :security_training_link
+            end
+
             def has_component?(component_name:)
               has_element?(component_name.to_sym)
             end
@@ -47,6 +52,15 @@ def has_vulnerability_title?(title:)
               has_element?(:vulnerability_title, text: title)
             end
 
+            def security_training_present?(training_name:)
+              has_element?(:security_training_text, text: training_name)
+            end
+
+            def training_link_present?(training_name:, url:)
+              element = find_element(:security_training_link, training_name: training_name)
+              element["href"].include?(url)
+            end
+
             def has_vulnerability_description?(description:)
               has_element?(:vulnerability_description, text: description)
             end
@@ -75,6 +89,10 @@ def choose_dismissal_reason
               find_element(:dismissal_reason_dropdown).find('li', text: reasons.sample).click
             end
 
+            def training_header_present?
+              has_css?('h3', text: 'Training')
+            end
+
             def has_vulnerability_status?(status)
               has_element?(:vulnerability_status_dropdown, text: "#{status.capitalize}")
             end

qa/qa/ee/page/project/secure/vulnerability_security_training.rb

+# frozen_string_literal: true
+
+module QA
+  module EE
+    module Page
+      module Project
+        module Secure
+          class VulnerabilitySecurityTraining < QA::Page::Base
+            view 'app/assets/javascripts/security_configuration/components/training_provider_list.vue' do
+              element :security_training_toggle
+            end
+
+            def toggle_training_provider(name, toggle_to = "on")
+              within_element(:security_training_toggle, training_provider: name) do
+                toggle = find('button.gl-toggle')
+                checked = toggle[:class].include?('is-checked')
+                toggle.click if (checked && toggle_to == "off") || (!checked && toggle_to == "on")
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

qa/qa/specs/features/ee/browser_ui/10_govern/create_merge_request_with_secure_spec.rb

@@ -3,7 +3,7 @@
 module QA
   RSpec.describe 'Govern', :runner, product_group: :threat_insights do
     describe 'Security Reports in a Merge Request Widget' do
-      let(:sast_vuln_count) { 6 }
+      let(:sast_vuln_count) { 7 }
       let(:dependency_scan_vuln_count) { 4 }
       let(:container_scan_vuln_count) { 8 }
       let(:vuln_name) { "Regular Expression Denial of Service in debug" }

qa/qa/specs/features/ee/browser_ui/10_govern/vulnerability_security_training_spec.rb

+# frozen_string_literal: true
+
+module QA
+  RSpec.describe 'Govern', :runner, product_group: :threat_insights do
+    describe 'Vulnerability Report Security Training' do
+      let(:vuln_name) { "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" }
+
+      let(:training_providers) { ["Kontra", "Secure Code Warrior"] }
+      let(:secure_code_warrior_url) { "portal.securecodewarrior.com" }
+      let(:kontra_url) { "application.security/gitlab/free-application-security-training" }
+      let(:secure_code_warrior_text) { training_providers[1] }
+      let(:kontra_text) { training_providers[0] }
+      let!(:project) do
+        Resource::Project.fabricate_via_api! do |project|
+          project.name = 'vulnerability-report-security-training'
+          project.description = 'To Test integration with security training in vulnerability report'
+        end
+      end
+
+      let!(:artefacts_directory) do
+        Pathname.new(File.join(EE::Runtime::Path.fixtures_path, 'secure_premade_reports'))
+      end
+
+      let!(:runner) do
+        Resource::ProjectRunner.fabricate_via_api! do |runner|
+          runner.project = project
+          runner.name = "runner-for-#{project.name}"
+          runner.tags = ['secure_report']
+        end
+      end
+
+      let!(:repository) do
+        Resource::Repository::Commit.fabricate_via_api! do |commit|
+          commit.project = project
+          commit.commit_message = 'Add report files and .gitlab-ci.yml'
+          commit.add_directory(artefacts_directory)
+        end
+      end
+
+      before do
+        Flow::Login.sign_in
+        project.visit!
+      end
+
+      after do
+        runner.remove_via_api!
+        project.remove_via_api!
+      end
+
+      it 'shows security training section for supported vulnerabilities when the setting is toggled ON',
+        testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/411764' do
+        # Enable two security training providers
+        toggle_training_providers("on")
+
+        visit_vulnerability(vuln_name)
+
+        QA::EE::Page::Project::Secure::VulnerabilityDetails.perform do |vulnerability_details|
+          aggregate_failures "testing vulnerability details" do
+            expect(vulnerability_details.security_training_present?(training_name: secure_code_warrior_text)).to be true
+            expect(vulnerability_details.training_link_present?(training_name: secure_code_warrior_text,
+              url: secure_code_warrior_url)).to be true
+
+            expect(vulnerability_details.security_training_present?(training_name: kontra_text)).to be true
+            expect(vulnerability_details.training_link_present?(training_name: kontra_text,
+              url: kontra_url)).to be true
+          end
+        end
+      end
+
+      it 'does not show security training section in vulnerability details when the setting is turned OFF',
+        testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/412398' do
+        toggle_training_providers("off")
+        visit_vulnerability(vuln_name)
+
+        expect(QA::EE::Page::Project::Secure::VulnerabilityDetails.perform(&:training_header_present?)).to be false
+      end
+
+      def toggle_training_providers(toggle_to = "on")
+        Page::Project::Menu.perform(&:go_to_security_configuration)
+        click_link("Vulnerability Management")
+        QA::EE::Page::Project::Secure::VulnerabilitySecurityTraining.perform do |security_training|
+          training_providers.each do |provider|
+            security_training.toggle_training_provider(provider, toggle_to)
+          end
+        end
+      end
+
+      def visit_vulnerability(vulnerability_name)
+        Page::Project::Menu.perform(&:go_to_vulnerability_report)
+        QA::EE::Page::Project::Secure::SecurityDashboard.perform do |security_dashboard|
+          security_dashboard.wait_for_vuln_report_to_load
+          expect(security_dashboard).to have_vulnerability(description: vulnerability_name)
+
+          security_dashboard.click_vulnerability(description: vulnerability_name)
+        end
+      end
+    end
+  end
+end