Add SAST inline findings
What does this MR do and why?
This MR solves: #384989 (closed)
It introduces the first Iteration of displaying Sast findings inline in the Merge Request diff.
Screenshots or screen recordings
| before | after |
|---|---|
| 2023-05-05_10-47-11 | 2023-05-03_16-04-28 |
How to set up and validate locally
Sast Findings
- Clone this project into your GDK
- Recreate this 1-liner MR jannik_lehmann/sast-inline-findings-example!1 (merged)
- See the SAST inline Findings in Action
Sast & Code Quality Findings
Recreating a Code Quality and a SAST Finding on the same line is not impossible but rather unusual so we have to mock this data a little
- Clone this Project into your GDK
- Recreate this MR
- apply the attached patch below to mock SAST findings
- hover over line 17
diff --git a/app/assets/javascripts/diffs/index.js b/app/assets/javascripts/diffs/index.js
index 3b84d9c6ac4d..89942105c4d0 100644
--- a/app/assets/javascripts/diffs/index.js
+++ b/app/assets/javascripts/diffs/index.js
@@ -38,7 +38,7 @@ export default function initDiffsApp(store = notesStore) {
endpointDiffForPath: dataset.endpointDiffForPath || '',
endpointCoverage: dataset.endpointCoverage || '',
endpointCodequality: dataset.endpointCodequality || '',
- endpointSast: dataset.endpointSast || '',
+ endpointSast: dataset.endpointSast || 'mockedEndpoint',
endpointUpdateUser: dataset.updateCurrentUserPath,
projectPath: dataset.projectPath,
helpPagePath: dataset.helpPagePath,
diff --git a/ee/app/assets/javascripts/diffs/store/actions.js b/ee/app/assets/javascripts/diffs/store/actions.js
index 3c91c1fc3482..8f0c61f529bb 100644
--- a/ee/app/assets/javascripts/diffs/store/actions.js
+++ b/ee/app/assets/javascripts/diffs/store/actions.js
@@ -100,50 +100,19 @@ export const setGenerateTestFilePath = ({ commit }, path) =>
commit(types.SET_GENERATE_TEST_FILE_PATH, path);
export const fetchSast = ({ commit, state, dispatch }) => {
- let retryCount = 0;
- sastPoll = new Poll({
- resource: {
- getSastDiffReports: (endpoint) => axios.get(endpoint),
- },
- data: state.endpointSast,
- method: 'getSastDiffReports',
- successCallback: ({ status, data }) => {
- retryCount = 0;
- if (status === HTTP_STATUS_OK) {
- commit(types.SET_SAST_DATA, data);
- dispatch('stopSastPolling');
- }
- },
- errorCallback: ({ response }) => {
- if (response.status === HTTP_STATUS_BAD_REQUEST) {
- // we could get a 400 status response temporarily during report processing
- // so we retry up to MAX_RETRIES times in case the reports are on their way
- // and stop polling if we get 400s consistently
- if (retryCount < MAX_RETRIES) {
- sastPoll.makeDelayedRequest(RETRY_DELAY);
- retryCount += 1;
- } else {
- sastPoll.stop();
- }
- } else {
- retryCount = 0;
- dispatch('stopSastPolling');
- createAlert({
- message: __('An unexpected error occurred while loading the Sast diff.'),
- });
- }
- },
- });
-
- if (!Visibility.hidden()) {
- sastPoll.makeRequest();
- }
-
- Visibility.change(() => {
- if (!Visibility.hidden()) {
- dispatch('restartSastPolling');
- } else {
- dispatch('stopSastPolling');
- }
+ commit(types.SET_SAST_DATA, {
+ added: [
+ {
+ severity: 'high',
+
+ description:
+ 'Markup escaping disabled. This can be used with some template engines to escape\ndisabling of HTML entities, which can lead to XSS attacks.\n',
+ location: {
+ file: 'noise.rb',
+ start_line: 7,
+ },
+ },
+ ],
+ fixed: [],
});
};
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Jannik Lehmann