Skip to content
代码片段 群组 项目
未验证 提交 a0707978 编辑于 作者: Eugie Limpin's avatar Eugie Limpin 提交者: GitLab
浏览文件

Merge branch 'rf-status-check-for-sast-configs' into 'master' 

Improve checking on status of SAST jobs

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173027



Merged-by: default avatarEugie Limpin <elimpin@gitlab.com>
Approved-by: default avatarMeir Benayoun <mbenayoun@gitlab.com>
Approved-by: default avatarEugie Limpin <elimpin@gitlab.com>
Reviewed-by: default avatarrossfuhrman <rfuhrman@gitlab.com>
Reviewed-by: default avatarMeir Benayoun <mbenayoun@gitlab.com>
Co-authored-by: default avatarRoss Fuhrman <rfuhrman@gitlab.com>
上级 9d145685 e6c52452
No related branches found
No related tags found
无相关合并请求
隐藏空白变更内容
行内 左右并排
显示
97 个添加7 个删除
app/models/concerns/security/latest_pipeline_information.rb
+ 20
1
浏览文件 @ a0707978
...@@ -12,12 +12,31 @@ def latest_builds_reports(only_successful_builds: false) ...@@ -12,12 +12,31 @@ def latest_builds_reports(only_successful_builds: false)
strong_memoize("latest_builds_reports_#{only_successful_builds}") do strong_memoize("latest_builds_reports_#{only_successful_builds}") do
builds = latest_security_builds builds = latest_security_builds
builds = builds.select { |build| build.status == 'success' } if only_successful_builds builds = builds.select { |build| build.status == 'success' } if only_successful_builds
builds.flat_map do |build| reports = builds.flat_map do |build|
build.options[:artifacts][:reports].keys build.options[:artifacts][:reports].keys
end end
normalize_for_sast_reports(reports, builds)
end end
end end
# Because :sast_iac and :sast_advanced reports belong to a report with a name of 'sast',
# we have to do extra checking to determine which reports have been included
def normalize_for_sast_reports(reports, builds)
return reports unless reports.delete(:sast)
reports.tap do |r|
build_names = builds.map(&:name)
r.push(:sast_iac) if build_names.delete('kics-iac-sast')
# When using adavanced sast, sast should also show in the report names
r.push(:sast, :sast_advanced) if build_names.delete('gitlab-advanced-sast')
r.push(:sast) if build_names.any? { |name| name.include? '-sast' }
end.uniq
end
def latest_security_builds def latest_security_builds
return [] unless latest_default_branch_pipeline return [] unless latest_default_branch_pipeline
......
ee/spec/features/projects/security/user_views_security_configuration_spec.rb
+ 1
1
浏览文件 @ a0707978
...@@ -42,7 +42,7 @@ ...@@ -42,7 +42,7 @@
context 'with SAST report' do context 'with SAST report' do
before do before do
create(:ci_build, :sast, pipeline: pipeline, status: 'success') create(:ci_build, :sast, name: 'semgrep-sast', pipeline: pipeline, status: 'success')
end end
it 'shows SAST is enabled' do it 'shows SAST is enabled' do
......
ee/spec/graphql/types/project_type_spec.rb
+ 1
1
浏览文件 @ a0707978
...@@ -144,7 +144,7 @@ ...@@ -144,7 +144,7 @@
subject { GitlabSchema.execute(query, context: { current_user: user }).as_json } subject { GitlabSchema.execute(query, context: { current_user: user }).as_json }
before do before do
create(:ci_build, :success, :sast, pipeline: pipeline) create(:ci_build, :success, :sast, name: "semgrep-sast", pipeline: pipeline)
create(:ci_build, :success, :dast, pipeline: pipeline) create(:ci_build, :success, :dast, pipeline: pipeline)
create(:ci_build, :success, :license_scanning, pipeline: pipeline) create(:ci_build, :success, :license_scanning, pipeline: pipeline)
create(:ci_build, :pending, :secret_detection, pipeline: pipeline) create(:ci_build, :pending, :secret_detection, pipeline: pipeline)
......
ee/spec/models/concerns/ee/project_security_scanners_information_spec.rb
+ 1
1
浏览文件 @ a0707978
...@@ -7,7 +7,7 @@ ...@@ -7,7 +7,7 @@
let(:pipeline) { create(:ci_pipeline, project: project, sha: project.commit.id, ref: project.default_branch) } let(:pipeline) { create(:ci_pipeline, project: project, sha: project.commit.id, ref: project.default_branch) }
before do before do
create(:ci_build, :success, :sast, pipeline: pipeline) create(:ci_build, :success, :sast, name: 'semgrep-sast', pipeline: pipeline)
create(:ci_build, :success, :dast, pipeline: pipeline) create(:ci_build, :success, :dast, pipeline: pipeline)
create(:ci_build, :success, :license_scanning, pipeline: pipeline) create(:ci_build, :success, :license_scanning, pipeline: pipeline)
create(:ci_build, :pending, :secret_detection, pipeline: pipeline) create(:ci_build, :pending, :secret_detection, pipeline: pipeline)
......
spec/models/concerns/security/latest_pipeline_information_spec.rb 0 → 100644
+ 71
0
浏览文件 @ a0707978
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Security::LatestPipelineInformation, feature_category: :secure_artifacts do
subject { my_class.latest_builds_reports }
let(:my_class) do
Class.new do
include Security::LatestPipelineInformation
include Gitlab::Utils::StrongMemoize
end
end
let(:instance) { my_class.new }
let_it_be(:pipeline) { create(:ci_pipeline) }
describe '#scanner_enabled?' do
it 'returns true if the scan type is included in latest_builds_reports' do
allow(instance).to receive(:latest_builds_reports).and_return([:sast, :dast])
expect(instance.send(:scanner_enabled?, :sast)).to be true
end
it 'returns false if the scan type is not included in latest_builds_reports' do
allow(instance).to receive(:latest_builds_reports).and_return([:dast])
expect(instance.send(:scanner_enabled?, :sast)).to be false
end
end
describe '#latest_builds_reports' do
let_it_be(:sast_build) { create(:ci_build, :sast, :success, name: "semgrep-sast", pipeline: pipeline) }
let_it_be(:sast_iac_build) { create(:ci_build, :sast, name: "kics-iac-sast", pipeline: pipeline) }
let_it_be(:advanced_sast_build) { create(:ci_build, :sast, name: "gitlab-advanced-sast", pipeline: pipeline) }
let_it_be(:dast_build) { create(:ci_build, :dast, pipeline: pipeline) }
it 'returns an array of unique reports' do
allow(instance).to receive(:latest_security_builds).and_return([sast_build, advanced_sast_build, dast_build])
expect(instance.send(:latest_builds_reports)).to match_array([:sast, :sast_advanced, :dast])
end
context 'when limiting to successful builds' do
it 'returns an array of reports with only successful builds' do
allow(instance).to receive(:latest_security_builds).and_return([sast_build, sast_iac_build])
expect(instance.send(:latest_builds_reports, only_successful_builds: true)).to match_array([:sast])
end
end
describe 'sast jobs' do
it 'does not include :sast when there are no sast related jobs' do
allow(instance).to receive(:latest_security_builds).and_return([dast_build])
expect(instance.send(:latest_builds_reports)).to match_array([:dast])
end
it 'includes :sast when the only job is :sast_advanced' do
allow(instance).to receive(:latest_security_builds).and_return([advanced_sast_build])
expect(instance.send(:latest_builds_reports)).to match_array([:sast, :sast_advanced])
end
it 'does not include :sast when the only job is :sast_iac' do
allow(instance).to receive(:latest_security_builds).and_return([sast_iac_build])
expect(instance.send(:latest_builds_reports)).to match_array([:sast_iac])
end
it 'does not include :sast_iac or :sast_advanced when there are only :sast jobs' do
allow(instance).to receive(:latest_security_builds).and_return([sast_build])
expect(instance.send(:latest_builds_reports)).to match_array([:sast])
end
end
end
end
spec/presenters/projects/security/configuration_presenter_spec.rb
+ 3
3
浏览文件 @ a0707978
...@@ -30,7 +30,7 @@ ...@@ -30,7 +30,7 @@
) )
end end
let!(:build_sast) { create(:ci_build, :sast, pipeline: pipeline) } let!(:build_sast) { create(:ci_build, :sast, name: 'semgrep-sast', pipeline: pipeline) }
let!(:build_dast) { create(:ci_build, :dast, pipeline: pipeline) } let!(:build_dast) { create(:ci_build, :dast, pipeline: pipeline) }
let!(:build_license_scanning) { create(:ci_build, :license_scanning, pipeline: pipeline) } let!(:build_license_scanning) { create(:ci_build, :license_scanning, pipeline: pipeline) }
...@@ -133,7 +133,7 @@ ...@@ -133,7 +133,7 @@
{ artifacts: { reports: { other_job: ['gl-other-report.json'], sast: ['gl-sast-report.json'] } } } { artifacts: { reports: { other_job: ['gl-other-report.json'], sast: ['gl-sast-report.json'] } } }
end end
let!(:complicated_job) { build_stubbed(:ci_build, options: artifacts) } let!(:complicated_job) { build_stubbed(:ci_build, name: 'semgrep-sast', options: artifacts) }
before do before do
allow_next_instance_of(::Security::SecurityJobsFinder) do |finder| allow_next_instance_of(::Security::SecurityJobsFinder) do |finder|
...@@ -230,7 +230,7 @@ ...@@ -230,7 +230,7 @@
) )
end end
let!(:build_sast) { create(:ci_build, :sast, pipeline: pipeline, status: 'success') } let!(:build_sast) { create(:ci_build, :sast, name: 'semgrep-sast', pipeline: pipeline, status: 'success') }
let!(:build_dast) { create(:ci_build, :dast, pipeline: pipeline, status: 'success') } let!(:build_dast) { create(:ci_build, :dast, pipeline: pipeline, status: 'success') }
let!(:ci_build) { create(:ci_build, :secret_detection, pipeline: pipeline, status: 'pending') } let!(:ci_build) { create(:ci_build, :secret_detection, pipeline: pipeline, status: 'pending') }
......
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册