Skip to content

Add SAST inline findings

What does this MR do and why?

This MR solves: #384989 (closed)
It introduces the first Iteration of displaying Sast findings inline in the Merge Request diff.

Screenshots or screen recordings

before after
2023-05-05_10-47-11 2023-05-03_16-04-28

How to set up and validate locally

Sast Findings

  1. Clone this project into your GDK
  2. Recreate this 1-liner MR jannik_lehmann/sast-inline-findings-example!1 (merged)
  3. See the SAST inline Findings in Action

Sast & Code Quality Findings

Recreating a Code Quality and a SAST Finding on the same line is not impossible but rather unusual so we have to mock this data a little

  1. Clone this Project into your GDK
  2. Recreate this MR
  3. apply the attached patch below to mock SAST findings
  4. hover over line 17
diff --git a/app/assets/javascripts/diffs/index.js b/app/assets/javascripts/diffs/index.js
index 3b84d9c6ac4d..89942105c4d0 100644
--- a/app/assets/javascripts/diffs/index.js
+++ b/app/assets/javascripts/diffs/index.js
@@ -38,7 +38,7 @@ export default function initDiffsApp(store = notesStore) {
         endpointDiffForPath: dataset.endpointDiffForPath || '',
         endpointCoverage: dataset.endpointCoverage || '',
         endpointCodequality: dataset.endpointCodequality || '',
-        endpointSast: dataset.endpointSast || '',
+        endpointSast: dataset.endpointSast || 'mockedEndpoint',
         endpointUpdateUser: dataset.updateCurrentUserPath,
         projectPath: dataset.projectPath,
         helpPagePath: dataset.helpPagePath,
diff --git a/ee/app/assets/javascripts/diffs/store/actions.js b/ee/app/assets/javascripts/diffs/store/actions.js
index 3c91c1fc3482..8f0c61f529bb 100644
--- a/ee/app/assets/javascripts/diffs/store/actions.js
+++ b/ee/app/assets/javascripts/diffs/store/actions.js
@@ -100,50 +100,19 @@ export const setGenerateTestFilePath = ({ commit }, path) =>
   commit(types.SET_GENERATE_TEST_FILE_PATH, path);
 
 export const fetchSast = ({ commit, state, dispatch }) => {
-  let retryCount = 0;
-  sastPoll = new Poll({
-    resource: {
-      getSastDiffReports: (endpoint) => axios.get(endpoint),
-    },
-    data: state.endpointSast,
-    method: 'getSastDiffReports',
-    successCallback: ({ status, data }) => {
-      retryCount = 0;
-      if (status === HTTP_STATUS_OK) {
-        commit(types.SET_SAST_DATA, data);
-        dispatch('stopSastPolling');
-      }
-    },
-    errorCallback: ({ response }) => {
-      if (response.status === HTTP_STATUS_BAD_REQUEST) {
-        // we could get a 400 status response temporarily during report processing
-        // so we retry up to MAX_RETRIES times in case the reports are on their way
-        // and stop polling if we get 400s consistently
-        if (retryCount < MAX_RETRIES) {
-          sastPoll.makeDelayedRequest(RETRY_DELAY);
-          retryCount += 1;
-        } else {
-          sastPoll.stop();
-        }
-      } else {
-        retryCount = 0;
-        dispatch('stopSastPolling');
-        createAlert({
-          message: __('An unexpected error occurred while loading the Sast diff.'),
-        });
-      }
-    },
-  });
-
-  if (!Visibility.hidden()) {
-    sastPoll.makeRequest();
-  }
-
-  Visibility.change(() => {
-    if (!Visibility.hidden()) {
-      dispatch('restartSastPolling');
-    } else {
-      dispatch('stopSastPolling');
-    }
+  commit(types.SET_SAST_DATA, {
+    added: [
+      {
+        severity: 'high',
+
+        description:
+          'Markup escaping disabled. This can be used with some template engines to escape\ndisabling of HTML entities, which can lead to XSS attacks.\n',
+        location: {
+          file: 'noise.rb',
+          start_line: 7,
+        },
+      },
+    ],
+    fixed: [],
   });
 };

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Jannik Lehmann

Merge request reports

Loading