Merge branch '419092-owasp-top-10-model-changes' into 'master'

Model changes for vulnerability_reads.owasp_top_10 See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/138502 Merged-by: James Fargher <jfargher@gitlab.com> Co-authored-by: Bala Kumar <sbalakumar@gitlab.com>

Merge branch '419092-owasp-top-10-model-changes' into 'master'
52576274 · James Fargher · f735fda1 · 43cc8c3f · 52576274 · 52576274
--- a/app/models/concerns/enums/vulnerability.rb
+++ b/app/models/concerns/enums/vulnerability.rb
@@ -46,6 +46,30 @@ module Vulnerability
      dismissed: 2
    }.with_indifferent_access.freeze
+    OWASP_TOP_10 = {
+      "A1:2017-Injection" => 1,
+      "A2:2017-Broken Authentication" => 2,
+      "A3:2017-Sensitive Data Exposure" => 3,
+      "A4:2017-XML External Entities (XXE)" => 4,
+      "A5:2017-Broken Access Control" => 5,
+      "A6:2017-Security Misconfiguration" => 6,
+      "A7:2017-Cross-Site Scripting (XSS)" => 7,
+      "A8:2017-Insecure Deserialization" => 8,
+      "A9:2017-Using Components with Known Vulnerabilities" => 9,
+      "A10:2017-Insufficient Logging & Monitoring" => 10,
+      "A1:2021-Broken Access Control" => 11,
+      "A2:2021-Cryptographic Failures" => 12,
+      "A3:2021-Injection" => 13,
+      "A4:2021-Insecure Design" => 14,
+      "A5:2021-Security Misconfiguration" => 15,
+      "A6:2021-Vulnerable and Outdated Components" => 16,
+      "A7:2021-Identification and Authentication Failures" => 17,
+      "A8:2021-Software and Data Integrity Failures" => 18,
+      "A9:2021-Security Logging and Monitoring Failures" => 19,
+      "A10:2021-Server-Side Request Forgery" => 20
+    }.with_indifferent_access.freeze
    def self.confidence_levels
      CONFIDENCE_LEVELS
    end
@@ -73,6 +97,10 @@ def self.detection_methods
    def self.vulnerability_states
      VULNERABILITY_STATES
    end
+    def self.owasp_top_10
+      OWASP_TOP_10
+    end
  end
 end

--- a/ee/app/models/vulnerabilities/read.rb
+++ b/ee/app/models/vulnerabilities/read.rb
@@ -32,6 +32,7 @@ class Read < ApplicationRecord
    enum state: ::Enums::Vulnerability.vulnerability_states
    enum report_type: ::Enums::Vulnerability.report_types
    enum severity: ::Enums::Vulnerability.severity_levels, _prefix: :severity
+    enum owasp_top_10: ::Enums::Vulnerability.owasp_top_10
    scope :by_uuid, -> (uuids) { where(uuid: uuids) }
    scope :by_vulnerabilities, -> (vulnerabilities) { where(vulnerability: vulnerabilities) }

--- a/ee/spec/models/vulnerabilities/read_spec.rb
+++ b/ee/spec/models/vulnerabilities/read_spec.rb
@@ -618,6 +618,16 @@
    end
  end
+  describe '.owasp_top_10' do
+    it 'raises ArgumentError for invalid enum value' do
+      expect { described_class.new(owasp_top_10: '123456') }.to raise_error(ArgumentError)
+    end
+    it 'accepts nil value' do
+      is_expected.to allow_value(nil).for(:owasp_top_10)
+    end
+  end
  private
  def create_vulnerability(severity: 7, confidence: 7, report_type: 0)