Add e2e test for vulnerability policies (#976)

The test includes: * Pulling policies from S3 (MinIO) * Reconciliation of policies with database * Application of policies for suppression and rating downgrade * Verification of notifications sent Closes #960 Signed-off-by: nscuro <[email protected]>
DependencyTrack · Dec 18, 2023 · 18e1931 · 18e1931
1 parent bbb4254
commit 18e1931
Show file tree

Hide file tree

Showing 11 changed files with 577 additions and 15 deletions.
diff --git a/e2e/pom.xml b/e2e/pom.xml
@@ -32,6 +32,32 @@
             <artifactId>awaitility</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.testcontainers</groupId>
+            <artifactId>minio</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.minio</groupId>
+            <artifactId>minio</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <!--
+            minio needs a newer version of OkHttp than what's provided via the Quarkus parent POM.
+            Versions are hardcoded here to avoid them being overwritten by accident.
+        -->
+        <dependency>
+            <groupId>com.squareup.okhttp3</groupId>
+            <artifactId>okhttp</artifactId>
+            <version>4.11.0</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.squareup.okio</groupId>
+            <artifactId>okio</artifactId>
+            <version>3.6.0</version>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.testcontainers</groupId>
             <artifactId>postgresql</artifactId>

diff --git a/e2e/src/main/java/org/dependencytrack/apiserver/ApiServerClient.java b/e2e/src/main/java/org/dependencytrack/apiserver/ApiServerClient.java
@@ -10,6 +10,7 @@
 import jakarta.ws.rs.Produces;
 import jakarta.ws.rs.QueryParam;
 import jakarta.ws.rs.core.MediaType;
+import org.dependencytrack.apiserver.model.Analysis;
 import org.dependencytrack.apiserver.model.BomProcessingResponse;
 import org.dependencytrack.apiserver.model.BomUploadRequest;
 import org.dependencytrack.apiserver.model.BomUploadResponse;
@@ -22,6 +23,7 @@
 import org.dependencytrack.apiserver.model.Project;
 import org.dependencytrack.apiserver.model.Team;
 import org.dependencytrack.apiserver.model.UpdateNotificationRuleRequest;
+import org.dependencytrack.apiserver.model.VulnerabilityPolicy;
 import org.eclipse.microprofile.rest.client.annotation.RegisterClientHeaders;
 import org.dependencytrack.apiserver.model.NotificationPublisher;
 
@@ -83,7 +85,7 @@ Team addPermissionToTeam(@PathParam("uuid") final UUID teamUuid,
     @Path("/finding/project/{uuid}")
     @Produces(MediaType.WILDCARD)
     @Consumes(MediaType.APPLICATION_JSON)
-    List<Finding> getFindings(@PathParam("uuid") final UUID projectUuid);
+    List<Finding> getFindings(@PathParam("uuid") final UUID projectUuid, @QueryParam("suppressed") final boolean includeSuppressed);
 
     @GET
     @Path("/project/lookup")
@@ -115,4 +117,17 @@ Team addPermissionToTeam(@PathParam("uuid") final UUID teamUuid,
     @Consumes(MediaType.APPLICATION_JSON)
     ConfigProperty updateConfigProperty(final ConfigProperty configProperty);
 
+    @GET
+    @Path("/policy/vulnerability")
+    @Produces(MediaType.WILDCARD)
+    @Consumes(MediaType.APPLICATION_JSON)
+    List<VulnerabilityPolicy> getAllVulnerabilityPolicies();
+
+    @GET
+    @Path("/analysis")
+    @Produces(MediaType.WILDCARD)
+    @Consumes(MediaType.APPLICATION_JSON)
+    Analysis getAnalysis(@QueryParam("project") final UUID projectUuid, @QueryParam("component") final UUID componentUuid,
+                         @QueryParam("vulnerability") final UUID vulnUuid);
+
 }
diff --git a/e2e/src/main/java/org/dependencytrack/apiserver/model/Analysis.java b/e2e/src/main/java/org/dependencytrack/apiserver/model/Analysis.java
@@ -0,0 +1,15 @@
+package org.dependencytrack.apiserver.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.util.List;
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+public record Analysis(@JsonProperty("analysisComments") List<Comment> comments) {
+
+    @JsonIgnoreProperties(ignoreUnknown = true)
+    public record Comment(String comment, String commenter) {
+    }
+
+}
diff --git a/e2e/src/main/java/org/dependencytrack/apiserver/model/Finding.java b/e2e/src/main/java/org/dependencytrack/apiserver/model/Finding.java
@@ -5,16 +5,13 @@
 import java.util.UUID;
 
 @JsonIgnoreProperties(ignoreUnknown = true)
-public record Finding(Component component, Project project, Vulnerability vulnerability, Attribution attribution) {
+public record Finding(Component component, UUID project, Vulnerability vulnerability, Attribution attribution,
+                      Analysis analysis) {
 
     @JsonIgnoreProperties(ignoreUnknown = true)
     public record Component(UUID uuid, String name, String version) {
     }
 
-    @JsonIgnoreProperties(ignoreUnknown = true)
-    public record Project(UUID uuid, String name, String version) {
-    }
-
     @JsonIgnoreProperties(ignoreUnknown = true)
     public record Vulnerability(UUID uuid, String vulnId, String source) {
     }
@@ -24,4 +21,8 @@ public record Attribution(String analyzerIdentity, String attributedOn, String a
                               String referenceUrl) {
     }
 
+    @JsonIgnoreProperties(ignoreUnknown = true)
+    public record Analysis(String state, Boolean isSuppressed) {
+    }
+
 }
diff --git a/e2e/src/main/java/org/dependencytrack/apiserver/model/VulnerabilityPolicy.java b/e2e/src/main/java/org/dependencytrack/apiserver/model/VulnerabilityPolicy.java
@@ -0,0 +1,7 @@
+package org.dependencytrack.apiserver.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+public record VulnerabilityPolicy(String name) {
+}
diff --git a/e2e/src/test/java/org/dependencytrack/e2e/AbstractE2ET.java b/e2e/src/test/java/org/dependencytrack/e2e/AbstractE2ET.java
@@ -33,8 +33,8 @@ public class AbstractE2ET {
     protected static String REPO_META_ANALYZER_IMAGE = "ghcr.io/dependencytrack/hyades-repository-meta-analyzer:snapshot";
     protected static String VULN_ANALYZER_IMAGE = "ghcr.io/dependencytrack/hyades-vulnerability-analyzer:snapshot";
 
-    protected Logger logger;
-    private Network internalNetwork;
+    protected final Logger logger = LoggerFactory.getLogger(getClass());
+    protected final Network internalNetwork = Network.newNetwork();
     protected PostgreSQLContainer<?> postgresContainer;
     protected GenericContainer<?> redpandaContainer;
     protected GenericContainer<?> apiServerContainer;
@@ -45,10 +45,6 @@ public class AbstractE2ET {
 
     @BeforeEach
     void beforeEach() throws Exception {
-        logger = LoggerFactory.getLogger(getClass());
-
-        internalNetwork = Network.newNetwork();
-
         postgresContainer = createPostgresContainer();
         redpandaContainer = createRedpandaContainer();
         deepStart(postgresContainer, redpandaContainer).join();
@@ -202,6 +198,7 @@ private ApiServerClient initializeApiServerClient() {
         logger.info("Assigning permissions to e2e team");
         for (final String permission : Set.of(
                 "BOM_UPLOAD",
+                "POLICY_MANAGEMENT",
                 "PORTFOLIO_MANAGEMENT",
                 "PROJECT_CREATION_UPLOAD",
                 "SYSTEM_CONFIGURATION",

diff --git a/e2e/src/test/java/org/dependencytrack/e2e/BomUploadOssIndexAnalysisE2ET.java b/e2e/src/test/java/org/dependencytrack/e2e/BomUploadOssIndexAnalysisE2ET.java
@@ -58,7 +58,7 @@ void test() throws Exception {
         final Project project = apiServerClient.lookupProject("foo", "bar");
 
         // Ensure that vulnerabilities have been reported correctly.
-        final List<Finding> findings = apiServerClient.getFindings(project.uuid());
+        final List<Finding> findings = apiServerClient.getFindings(project.uuid(), false);
         assertThat(findings)
                 .hasSizeGreaterThan(1)
                 .allSatisfy(

diff --git a/e2e/src/test/java/org/dependencytrack/e2e/BomUploadProcessingE2ET.java b/e2e/src/test/java/org/dependencytrack/e2e/BomUploadProcessingE2ET.java
@@ -161,7 +161,7 @@ void test() throws Exception {
         final Project project = apiServerClient.lookupProject("foo", "bar");
 
         // Ensure the internal vulnerability has been flagged.
-        final List<Finding> findings = apiServerClient.getFindings(project.uuid());
+        final List<Finding> findings = apiServerClient.getFindings(project.uuid(), false);
         assertThat(findings).satisfiesExactly(
                 finding -> {
                     assertThat(finding.component().name()).isEqualTo("jackson-databind");

diff --git a/e2e/src/test/java/org/dependencytrack/e2e/BomUploadSnykAnalysisE2ET.java b/e2e/src/test/java/org/dependencytrack/e2e/BomUploadSnykAnalysisE2ET.java
@@ -71,7 +71,7 @@ void test() throws Exception {
         final Project project = apiServerClient.lookupProject("foo", "bar");
 
         // Ensure that vulnerabilities have been reported correctly.
-        final List<Finding> findings = apiServerClient.getFindings(project.uuid());
+        final List<Finding> findings = apiServerClient.getFindings(project.uuid(), false);
         assertThat(findings)
                 .hasSizeGreaterThan(1)
                 .allSatisfy(