Add inline Drawer to inline findings popover
What does this MR do and why?
This MR refactors the inline-findings Drawer from the inline-findings components to the inline-findings dropdown components.
It removes the code_quality_inline_drawer flag and ties the behaviour to the sast_reports_in_inline_diff flag.
Rollout Issue to close once this MR is merged: #397037 (closed)
Screenshots or screen recordings
After
with sast_reports_in_inline_diff false |
|---|
| both_flags_false_after |
with sast_reports_in_inline_diff true |
|---|
| both_flags_true_after |
Before
with code_quality_inline_drawer false and sast_reports_in_inline_diff false |
|---|
| salst_false_drawer_false_before |
with code_quality_inline_drawer true and sast_reports_in_inline_diff true |
|---|
| sast_true_drawer_true_before |
with code_quality_inline_drawer true and sast_reports_in_inline_diff false |
|---|
| sast_false_drawer_true_before |
with code_quality_inline_drawer false and sast_reports_in_inline_diff true |
|---|
| sast_true_drawer_false_before |
How to set up and validate locally
- Clone this repo: https://gitlab.com/jannik_lehmann/sast-inline-findings-example
- Recreate this MR: jannik_lehmann/sast-inline-findings-example!1 (merged)
- Let the Pipeline finish and see the Security findings in action
- Clone this repo: https://gitlab.com/jannik_lehmann/code-quality-test
- Recreate this MR: jannik_lehmann/code-quality-test!4 (diffs)
- Let the pipeline finish and see that the CodeQuality Findings are still working.
- Enable this flag:
sast_reports_in_inline_diff - Apply the patch below
- Go to recreated MR, see CQ and (mocked)-Security finding on same line
diff --git a/app/assets/javascripts/diffs/index.js b/app/assets/javascripts/diffs/index.js
index b9cf26827f26..f487574edcf9 100644
--- a/app/assets/javascripts/diffs/index.js
+++ b/app/assets/javascripts/diffs/index.js
@@ -32,7 +32,8 @@ export default function initDiffsApp(store = notesStore) {
return {
endpointCoverage: dataset.endpointCoverage || '',
endpointCodequality: dataset.endpointCodequality || '',
- endpointSast: dataset.endpointSast || '',
+ // endpointSast: dataset.endpointSast || '',
+ endpointSast: 'mockedEndpoint',
helpPagePath: dataset.helpPagePath,
currentUser: JSON.parse(dataset.currentUserData) || {},
changesEmptyStateIllustration: dataset.changesEmptyStateIllustration,
diff --git a/ee/app/assets/javascripts/diffs/store/actions.js b/ee/app/assets/javascripts/diffs/store/actions.js
index 3c91c1fc3482..b70aac7b3976 100644
--- a/ee/app/assets/javascripts/diffs/store/actions.js
+++ b/ee/app/assets/javascripts/diffs/store/actions.js
@@ -100,6 +100,23 @@ export const setGenerateTestFilePath = ({ commit }, path) =>
commit(types.SET_GENERATE_TEST_FILE_PATH, path);
export const fetchSast = ({ commit, state, dispatch }) => {
+ commit(types.SET_SAST_DATA, {
+ added: [
+ {
+ severity: "medium",
+ description:
+ "Markup escaping disabled. This can be used with some template engines to escape\ndisabling of HTML entities, which can lead to XSS attacks.\n",
+ location: {
+ file: "noise.rb",
+ start_line: 7,
+ },
+ },
+ ],
+ fixed: [],
+ });
+
+ return;
+
let retryCount = 0;
sastPoll = new Poll({
resource: {
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Jannik Lehmann