Sort vulnerabilities for pipeline dashboard

Consider enum values rather than string Added further test

Sort vulnerabilities for pipeline dashboard
a930de78 · Can Eldem · James Lopez · 51c5859c · a930de78 · a930de78
Commit a930de78 authored 5 years ago by Can Eldem Committed by James Lopez 5 years ago
--- a/changelogs/unreleased/sort-vulnerabilities-for-pipeline-dashboard.yml
+++ b/changelogs/unreleased/sort-vulnerabilities-for-pipeline-dashboard.yml
+---
+title: Pipeline vulnerability dashboard sort vulnerabilities by severity then confidence
+merge_request: 18863
+author:
+type: fixed
--- a/ee/app/finders/security/pipeline_vulnerabilities_finder.rb
+++ b/ee/app/finders/security/pipeline_vulnerabilities_finder.rb
@@ -41,7 +41,7 @@ def execute
        occurrences.concat(filtered_occurrences)
      end

-      occurrences.sort_by { |x| [x.severity, x.confidence] }
+      occurrences.sort_by { |x| [-x.severity_value, -x.confidence_value] }
    end

    private

--- a/ee/app/models/vulnerabilities/occurrence.rb
+++ b/ee/app/models/vulnerabilities/occurrence.rb
@@ -221,6 +221,14 @@ def hash
      report_type.hash ^ location.hash ^ first_fingerprint.hash
    end

+    def severity_value
+      self.class.severities[self.severity]
+    end
+
+    def confidence_value
+      self.class.confidences[self.confidence]
+    end
+
    protected

    def first_fingerprint

--- a/ee/spec/finders/security/pipeline_vulnerabilities_finder_spec.rb
+++ b/ee/spec/finders/security/pipeline_vulnerabilities_finder_spec.rb
@@ -54,15 +54,24 @@ def disable_deduplication

    context 'by order' do
      let(:params) { { report_type: %w[sast] } }
-      let!(:occurrence1) { build(:vulnerabilities_occurrence, confidence: Vulnerabilities::Occurrence::CONFIDENCE_LEVELS[:high],   severity: Vulnerabilities::Occurrence::SEVERITY_LEVELS[:high]) }
-      let!(:occurrence2) { build(:vulnerabilities_occurrence, confidence: Vulnerabilities::Occurrence::CONFIDENCE_LEVELS[:medium], severity: Vulnerabilities::Occurrence::SEVERITY_LEVELS[:critical]) }
-      let!(:occurrence3) { build(:vulnerabilities_occurrence, confidence: Vulnerabilities::Occurrence::CONFIDENCE_LEVELS[:high],   severity: Vulnerabilities::Occurrence::SEVERITY_LEVELS[:critical]) }
-      let!(:res) { [occurrence3, occurrence2, occurrence1] }
+      let!(:high_high) { build(:vulnerabilities_occurrence, confidence: :high, severity: :high) }
+      let!(:critical_medium) { build(:vulnerabilities_occurrence, confidence: :medium, severity: :critical) }
+      let!(:critical_high) { build(:vulnerabilities_occurrence, confidence: :high, severity: :critical) }
+      let!(:unknown_high) { build(:vulnerabilities_occurrence, confidence: :high, severity: :unknown) }
+      let!(:unknown_medium) { build(:vulnerabilities_occurrence, confidence: :medium, severity: :unknown) }
+      let!(:unknown_low) { build(:vulnerabilities_occurrence, confidence: :low, severity: :unknown) }

      it 'orders by severity and confidence' do
-        allow_any_instance_of(described_class).to receive(:filter).and_return(res)
-
-        expect(subject).to eq([occurrence3, occurrence2, occurrence1])
+        allow_any_instance_of(described_class).to receive(:filter).and_return([
+               unknown_low,
+               unknown_medium,
+               critical_high,
+               unknown_high,
+               critical_medium,
+               high_high
+        ])
+
+        expect(subject).to eq([critical_high, critical_medium, high_high, unknown_high, unknown_medium, unknown_low])
      end
    end


--- a/ee/spec/support/shared_examples/requests/api/vulnerabilities_shared_examples.rb
+++ b/ee/spec/support/shared_examples/requests/api/vulnerabilities_shared_examples.rb
@@ -127,7 +127,7 @@

        # occurrences are implicitly sorted by Security::MergeReportsService,
        # occurrences order differs from what is present in fixture file
-        expect(json_response.first['name']).to eq 'Consider possible security implications associated with Popen module.'
+        expect(json_response.first['name']).to eq 'ECB mode is insecure'
      end

      it 'returns vulnerabilities with dependency_scanning report_type' do