Add `Vulnerabilities::SecurityFinding::CreateIssue` Service (!87473) · Merge requests · GitLab.org / GitLab

Marcos Rocha requested to merge mc_rocha-add-create-from-findings-service-334266 into master May 12, 2022

This Merge Request adds a new service called Vulnerabilities::SecurityFinding::CreateIssue as described here

This Merge Request is related to the issue #361948 (closed)

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Security::Vulnerability without Vulnerability

rails c

Check the Vulnerability count

Vulnerability.count
   (0.7ms)  SELECT COUNT(*) FROM "vulnerabilities" /*application:console,db_config_name:main,line:(pry):22:in `__pry__'*/
=> 150

Check the Issue count

Issue.count
   (0.8ms)  SELECT COUNT(*) FROM "issues" /*application:console,db_config_name:main,line:(pry):23:in `__pry__'*/
=> 497

Check the Vulnerabilities::IssueLink.count

Vulnerabilities::IssueLink.count
   (0.3ms)  SELECT COUNT(*) FROM "vulnerability_issue_links" /*application:console,db_config_name:main,line:(pry):24:in `__pry__'*/
=> 51

Create a new vulnerabilities_finding without vulnerability_id

vulnerabilities_finding = Vulnerabilities::Finding.last.dup
vulnerabilities_finding.vulnerability_id = nil
vulnerabilities_finding.uuid = "a3bbfe5d-2b5e-5cad-994b-19a1bd25d87c"
vulnerabilities_finding.save
vulnerabilities_finding.reload

Call the Service

vulnerabilities_finding = Vulnerabilities::Finding.last
project = Project.find(vulnerabilities_finding.project_id)
user = project.users.last
params = { vulnerabilities_finding: vulnerabilities_finding }

Vulnerabilities::CreateFromFindingService.new(project: project, current_user: user, params: params).execute

#<ServiceResponse:0x00007f97c7f3f730 @http_status=:ok, @message=nil, @payload={:issue=>#<Issue id:498 flightjs/Flight#42>}, @status=:success>

Check the Vulnerability count. It should have increased by one.

Vulnerability.count
(0.5ms)  SELECT COUNT(*) FROM "vulnerabilities" /*application:console,db_config_name:main,line:(pry):43:in `__pry__'*/
=> 151

Check the Issue count. It should have increased by one.

Issue.count
  (1.7ms)  SELECT COUNT(*) FROM "issues" /*application:console,db_config_name:main,line:(pry):44:in `__pry__'*/
=> 498

Check the new Issue details.

 Issue.last.as_json

=> {"id"=>498,
 "title"=>"Investigate vulnerability: Cipher with no integrity",
 "author_id"=>61,
 "project_id"=>6,
 "created_at"=>"2022-05-13T21:20:03.778Z",
 "updated_at"=>"2022-05-13T21:20:03.778Z",
 "description"=>"### Description:\n\nCipher with no integrity\n\n* Severity: low\n* Confidence: experimental",
 "milestone_id"=>nil,
 "iid"=>42,
 "updated_by_id"=>nil,
 "weight"=>nil,
 "confidential"=>true,
 "due_date"=>nil,
 "moved_to_id"=>nil,
 "lock_version"=>0,
 "time_estimate"=>0,
 "relative_position"=>nil,
 "service_desk_reply_to"=>nil,
 "last_edited_at"=>nil,
 "last_edited_by_id"=>nil,
 "discussion_locked"=>nil,
 "closed_at"=>nil,
 "closed_by_id"=>nil,
 "state_id"=>1,
 "duplicated_to_id"=>nil,
 "promoted_to_epic_id"=>nil,
 "health_status"=>nil,
 "external_key"=>nil,
 "sprint_id"=>nil,
 "issue_type"=>"issue",
 "blocking_issues_count"=>0,
 "upvotes_count"=>0,
 "work_item_type_id"=>1}

Check the Vulnerabilities::IssueLink.count. It should have increased by 1.

Vulnerabilities::IssueLink.count

   (0.9ms)  SELECT COUNT(*) FROM "vulnerability_issue_links" /*application:console,db_config_name:main,line:(pry):46:in `__pry__'*/
=> 52

Check the Vulnerabilities::IssueLink details

Vulnerabilities::IssueLink.last
=> #<Vulnerabilities::IssueLink:0x00007f9750600858
 id: 53,
 vulnerability_id: 151,
 issue_id: 498,
 link_type: "created",
 created_at: Fri, 13 May 2022 21:20:11.345169000 UTC +00:00,
 updated_at: Fri, 13 May 2022 21:20:11.345169000 UTC +00:00>

Check if Vulnerabilities::IssueLink has the correct issue_id and vulnerability_id

Vulnerabilities::IssueLink.last.issue_id == Issue.last.id
=> true

Vulnerabilities::IssueLink.last.vulnerability_id == vulnerabilities_finding.reload.vulnerability_id
=> true

Security::Vulnerability with Vulnerability

rails c

Check the Vulnerability count

Vulnerability.count
(9.4ms)  SELECT COUNT(*) FROM "vulnerabilities" /*application:console,db_config_name:main,line:(pry):53:in `__pry__'*/
=> 150

Check the Issue count

Issue.count
(11.4ms)  SELECT COUNT(*) FROM "issues" /*application:console,db_config_name:main,line:(pry):55:in `__pry__'*/
=> 494

Check the Vulnerabilities::IssueLink.count

Vulnerabilities::IssueLink.count
   (0.6ms)  SELECT COUNT(*) FROM "vulnerability_issue_links" /*application:console,db_config_name:main,line:(pry):13:in `__pry__'*/
=> 50

Call the Service

vulnerabilities_finding = Vulnerabilities::Finding.last
project = Project.find(vulnerabilities_finding.project_id)
user = project.users.last
params = { vulnerabilities_finding: vulnerabilities_finding }

Vulnerabilities::CreateFromFindingService.new(project: project, current_user: user, params: params).execute

=> #<ServiceResponse:0x00007feea2735030 @http_status=:ok, @message=nil, @payload={:issue=>#<Issue id:495 flightjs/Flight#39>}, @status=:success>

Check the Vulnerability count. it should be the same

Vulnerability.count
(0.7ms)  SELECT COUNT(*) FROM "vulnerabilities" /*application:console,db_config_name:main,line:(pry):69:in `__pry__'*/
=> 150

Check the Issue count. It should have increased by one.

Issue.count
   (0.6ms)  SELECT COUNT(*) FROM "issues" /*application:console,db_config_name:main,line:(pry):70:in `__pry__'*/
=> 495

Check the new Issue details.

 Issue.last.as_json

=> {"id"=>497,
 "title"=>"Investigate vulnerability: Cypher with no integrity",
 "author_id"=>61,
 "project_id"=>6,
 "created_at"=>"2022-05-13T19:32:06.283Z",
 "updated_at"=>"2022-05-13T19:32:06.283Z",
 "description"=>"### Description:\n\nCypher with no integrity\n\n* Severity: critical\n* Confidence: low",
 "milestone_id"=>nil,
 "iid"=>41,
 "updated_by_id"=>nil,
 "weight"=>nil,
 "confidential"=>true,
 "due_date"=>nil,
 "moved_to_id"=>nil,
 "lock_version"=>0,
 "time_estimate"=>0,
 "relative_position"=>nil,
 "service_desk_reply_to"=>nil,
 "last_edited_at"=>nil,
 "last_edited_by_id"=>nil,
 "discussion_locked"=>nil,
 "closed_at"=>nil,
 "closed_by_id"=>nil,
 "state_id"=>1,
 "duplicated_to_id"=>nil,
 "promoted_to_epic_id"=>nil,
 "health_status"=>nil,
 "external_key"=>nil,
 "sprint_id"=>nil,
 "issue_type"=>"issue",
 "blocking_issues_count"=>0,
 "upvotes_count"=>0,
 "work_item_type_id"=>1}

Check the Vulnerabilities::IssueLink.count. It should have increased by 1.

Vulnerabilities::IssueLink.count

   (0.5ms)  SELECT COUNT(*) FROM "vulnerability_issue_links" /*application:console,db_config_name:main,line:(pry):15:in `__pry__'*/
=> 51

Check the Vulnerabilities::IssueLink details

Vulnerabilities::IssueLink.last
#<Vulnerabilities::IssueLink:0x00007f97307d2f20
 id: 52,
 vulnerability_id: 150,
 issue_id: 497,
 link_type: "created",
 created_at: Fri, 13 May 2022 19:32:11.586035000 UTC +00:00,
 updated_at: Fri, 13 May 2022 19:32:11.586035000 UTC +00:00>

Check if Vulnerabilities::IssueLink has the correct issue_id and vulnerability_id

Vulnerabilities::IssueLink.last.issue_id == Issue.last.id
=> true

Vulnerabilities::IssueLink.last.vulnerability_id == vulnerabilities_finding.vulnerability_id
=> true

Edited Aug 08, 2022 by Marcos Rocha

Add `Vulnerabilities::SecurityFinding::CreateIssue` Service

How to set up and validate locally

Security::Vulnerability without Vulnerability

Security::Vulnerability with Vulnerability

Merge request reports