Skip to content

Add inline SAST findings

Jannik Lehmann requested to merge jnnkl-sast-inline into master

What does this MR do and why?

This MR introduces the first Iteration of displaying SAST findings inline in the Merge Request diff.

Related Design Issue: #415112 (closed) Inspired by: !119062 (closed) Epic: &10959

Screenshots or screen recordings

Sast only

Before After
sast_only_before sast_only_after

Sast & CodeQuality

Before After
before_cq after_CQ___SAST_same_line

How to set up and validate locally

  1. Enable this flag: #410191 (closed)
  2. Clone this repo: https://gitlab.com/jannik_lehmann/sast-inline-findings-example
  3. Recreate this MR: jannik_lehmann/sast-inline-findings-example!1 (merged)
  4. Let the Pipeline finish and see the Security findings in action
  5. Clone this repo: https://gitlab.com/jannik_lehmann/code-quality-test
  6. Recreate this MR: jannik_lehmann/code-quality-test!4 (diffs)
  7. Let the pipeline finish and see that the CodeQuality Findings are still working.
  8. Apply the patch below
  9. Go to recreated MR, see CQ and (mocked)-Security finding on same line
diff --git a/app/assets/javascripts/diffs/index.js b/app/assets/javascripts/diffs/index.js
index 621d78850dfe..8e2e8ac4829d 100644
--- a/app/assets/javascripts/diffs/index.js
+++ b/app/assets/javascripts/diffs/index.js
@@ -32,7 +32,7 @@ export default function initDiffsApp(store = notesStore) {
       return {
         endpointCoverage: dataset.endpointCoverage || '',
         endpointCodequality: dataset.endpointCodequality || '',
-        endpointSast: dataset.endpointSast || '',
+        endpointSast: 'mockedEndpoint',
         endpointUpdateUser: dataset.updateCurrentUserPath,
         projectPath: dataset.projectPath,
         helpPagePath: dataset.helpPagePath,
diff --git a/ee/app/assets/javascripts/diffs/store/actions.js b/ee/app/assets/javascripts/diffs/store/actions.js
index 3c91c1fc3482..17b36f0b1e1c 100644
--- a/ee/app/assets/javascripts/diffs/store/actions.js
+++ b/ee/app/assets/javascripts/diffs/store/actions.js
@@ -100,6 +100,21 @@ export const setGenerateTestFilePath = ({ commit }, path) =>
   commit(types.SET_GENERATE_TEST_FILE_PATH, path);
 
 export const fetchSast = ({ commit, state, dispatch }) => {
+  commit(types.SET_SAST_DATA, {
+    added: [
+      {
+        severity: 'medium',
+        description:
+          'Markup escaping disabled. This can be used with some template engines to escape\ndisabling of HTML entities, which can lead to XSS attacks.\n',
+        location: {
+          file: 'noise.rb',
+          start_line: 7,
+        },
+      },
+    ],
+    fixed: [],
+  });
+  return;
   let retryCount = 0;
   sastPoll = new Poll({
     resource: {

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Jannik Lehmann

Merge request reports