From 43cc8c3fa49cf017aad14c82861fef779a27e64e Mon Sep 17 00:00:00 2001
From: Bala Kumar <sbalakumar@gitlab.com>
Date: Fri, 1 Dec 2023 18:56:24 +0530
Subject: [PATCH] Include owasp_top_10 to vulnerabilities read model

Changelog: added
EE: true
---
 app/models/concerns/enums/vulnerability.rb  | 28 +++++++++++++++++++++
 ee/app/models/vulnerabilities/read.rb       |  1 +
 ee/spec/models/vulnerabilities/read_spec.rb | 10 ++++++++
 3 files changed, 39 insertions(+)

diff --git a/app/models/concerns/enums/vulnerability.rb b/app/models/concerns/enums/vulnerability.rb
index dbf05dbc4287b..f7d35c77648e3 100644
--- a/app/models/concerns/enums/vulnerability.rb
+++ b/app/models/concerns/enums/vulnerability.rb
@@ -46,6 +46,30 @@ module Vulnerability
       dismissed: 2
     }.with_indifferent_access.freeze
 
+    OWASP_TOP_10 = {
+      "A1:2017-Injection" => 1,
+      "A2:2017-Broken Authentication" => 2,
+      "A3:2017-Sensitive Data Exposure" => 3,
+      "A4:2017-XML External Entities (XXE)" => 4,
+      "A5:2017-Broken Access Control" => 5,
+      "A6:2017-Security Misconfiguration" => 6,
+      "A7:2017-Cross-Site Scripting (XSS)" => 7,
+      "A8:2017-Insecure Deserialization" => 8,
+      "A9:2017-Using Components with Known Vulnerabilities" => 9,
+      "A10:2017-Insufficient Logging & Monitoring" => 10,
+
+      "A1:2021-Broken Access Control" => 11,
+      "A2:2021-Cryptographic Failures" => 12,
+      "A3:2021-Injection" => 13,
+      "A4:2021-Insecure Design" => 14,
+      "A5:2021-Security Misconfiguration" => 15,
+      "A6:2021-Vulnerable and Outdated Components" => 16,
+      "A7:2021-Identification and Authentication Failures" => 17,
+      "A8:2021-Software and Data Integrity Failures" => 18,
+      "A9:2021-Security Logging and Monitoring Failures" => 19,
+      "A10:2021-Server-Side Request Forgery" => 20
+    }.with_indifferent_access.freeze
+
     def self.confidence_levels
       CONFIDENCE_LEVELS
     end
@@ -73,6 +97,10 @@ def self.detection_methods
     def self.vulnerability_states
       VULNERABILITY_STATES
     end
+
+    def self.owasp_top_10
+      OWASP_TOP_10
+    end
   end
 end
 
diff --git a/ee/app/models/vulnerabilities/read.rb b/ee/app/models/vulnerabilities/read.rb
index 9c895a8b1ab8c..5d2532c120edd 100644
--- a/ee/app/models/vulnerabilities/read.rb
+++ b/ee/app/models/vulnerabilities/read.rb
@@ -32,6 +32,7 @@ class Read < ApplicationRecord
     enum state: ::Enums::Vulnerability.vulnerability_states
     enum report_type: ::Enums::Vulnerability.report_types
     enum severity: ::Enums::Vulnerability.severity_levels, _prefix: :severity
+    enum owasp_top_10: ::Enums::Vulnerability.owasp_top_10
 
     scope :by_uuid, -> (uuids) { where(uuid: uuids) }
     scope :by_vulnerabilities, -> (vulnerabilities) { where(vulnerability: vulnerabilities) }
diff --git a/ee/spec/models/vulnerabilities/read_spec.rb b/ee/spec/models/vulnerabilities/read_spec.rb
index 8d3bcfe982e2f..49207ee2588c8 100644
--- a/ee/spec/models/vulnerabilities/read_spec.rb
+++ b/ee/spec/models/vulnerabilities/read_spec.rb
@@ -618,6 +618,16 @@
     end
   end
 
+  describe '.owasp_top_10' do
+    it 'raises ArgumentError for invalid enum value' do
+      expect { described_class.new(owasp_top_10: '123456') }.to raise_error(ArgumentError)
+    end
+
+    it 'accepts nil value' do
+      is_expected.to allow_value(nil).for(:owasp_top_10)
+    end
+  end
+
   private
 
   def create_vulnerability(severity: 7, confidence: 7, report_type: 0)
-- 
GitLab