Add UI tests for Edit business risk, Edit status, and Filter by OS version (#20743)

jeremylenz · claude · web-flow · commit 0bea5a03727b · 2026-02-11T17:02:10.000-05:00
* feat: Add UI tests for CVE business risk and status editing Add end-to-end tests for editing CVE business risk and status fields in the Insights Vulnerability UI. Tests added: - test_bulk_edit_business_risk_and_status - Bulk editing for multiple CVEs - test_edit_from_cve_details_page - Editing from CVE details page - test_filter_by_os_version - Filtering vulnerabilities by OS version Each test: - Provisions RHEL 10 host with IoP configured - Downgrades glibc to create CVE-2025-8058 - Verifies edit functionality via Airgun entity methods - Confirms changes persist in the vulnerabilities table Depends on: SatelliteQE/airgun#2303 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * refactor: Use vulnerable_rhel_host fixture and centralize constants Addresses code review feedback by: - Creating vulnerable_rhel_host fixture (matches pattern from PR #20733) - Centralizing CVE_ID as module-level constant - Removing duplicate client setup code from each test - Updating all test signatures to use the fixture Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * refactor: Address PR review comments for vulnerability edit tests - Move CVE and RPM constants to robottelo/constants/__init__.py for reusability - Change rhel_ver_list([10]) to rhel_ver_match('10') for exact version matching - Remove CaseImportance metadata (not used for test selection) - Convert double quotes to single quotes for consistency with project style Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * refactor: Replace glibc with mariadb for vulnerability testing glibc downgrade is not supported on RHEL10. Switch to mariadb package which creates 3 deterministic CVEs (CVE-2023-52969, CVE-2023-52970, CVE-2023-52971). This addresses PR review feedback to make bulk edit tests deterministic rather than relying on finding random CVEs. Also adds insights-client call to ensure vulnerabilities are reported to Satellite. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * refactor: Simplify to use single dnf install command dnf install with full NEVRA handles install/upgrade/downgrade automatically, so no need for separate install + downgrade commands. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * fix: Add CaseImportance High marker to vulnerability tests This marker is required at the module level for CI checks to pass. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * fix: Restore assert any pattern for vulnerability checks During the rebase, the assertion pattern was incorrectly changed from using `assert any()` to direct index access with `[0]`. This reverts to the more robust `assert any()` pattern while keeping the constant reference. The `assert any()` pattern is preferred because: - It's more resilient when the CVE isn't the first in the list - It handles empty lists gracefully - It better expresses the intent to find the CVE anywhere in the list Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
diff --git a/robottelo/constants/__init__.py b/robottelo/constants/__init__.py
@@ -976,6 +976,11 @@
 REAL_RHEL8_ERRATA_CVES = ['CVE-2021-27023', 'CVE-2021-27025']
 REAL_RHSCLIENT_ERRATA = 'RHSA-2023:5982'  # for RH Satellite Client 8
 REAL_RHEL9_ERRATA_ID = 'RHBA-2022:7243'
+# Vulnerability testing constants for RHEL 10
+RHEL10_VULNERABLE_MARIADB_RPM = 'mariadb-3:10.11.11-1.el10.x86_64'
+RHEL10_VULNERABLE_MARIADB_CVES = ['CVE-2023-52969', 'CVE-2023-52970', 'CVE-2023-52971']
+# Use the first CVE as the primary one for single-CVE tests
+RHEL10_VULNERABILITY_CVE_ID = RHEL10_VULNERABLE_MARIADB_CVES[0]
 FAKE_1_YUM_REPOS_COUNT = 32
 FAKE_3_YUM_REPOS_COUNT = 78
 FAKE_9_YUM_SECURITY_ERRATUM = [
diff --git a/tests/foreman/ui/test_rhcloud_insights_vulnerability.py b/tests/foreman/ui/test_rhcloud_insights_vulnerability.py
@@ -17,6 +17,25 @@
 from robottelo import constants
 
 
+@pytest.fixture
+def vulnerable_rhel_host(rhel_insights_vm):
+    """Fixture to prepare a RHEL host with a vulnerable package"""
+    client = rhel_insights_vm
+    # Remove any static repos and update to the latest packages available from the Satellite
+    assert (
+        client.execute(
+            'find /etc/yum.repos.d/ -type f | grep -vF redhat.repo | xargs -I \'{}\' rm \'{}\''
+        ).status
+        == 0
+    )
+    assert client.execute('dnf -y update').status == 0
+    # Install vulnerable mariadb version (dnf install with NEVRA handles install/downgrade)
+    assert client.execute(f'dnf install -y {constants.RHEL10_VULNERABLE_MARIADB_RPM}').status == 0
+    # Run insights-client to report the vulnerabilities to Satellite
+    assert client.execute('insights-client').status == 0
+    return client
+
+
 @pytest.fixture(scope='module')
 def setup_content_for_iop(module_target_sat_insights, rhcloud_manifest_org):
     """Fixture to sync RHEL content repos"""
@@ -51,7 +70,7 @@ def setup_content_for_iop(module_target_sat_insights, rhcloud_manifest_org):
 
 @pytest.mark.e2e
 @pytest.mark.no_containers
-@pytest.mark.rhel_ver_list([10])
+@pytest.mark.rhel_ver_match('10')
 @pytest.mark.parametrize('module_target_sat_insights', [False], ids=['local'], indirect=True)
 def test_rhcloud_insights_vulnerabilities_e2e(
     rhel_insights_vm,
@@ -78,24 +97,23 @@ def test_rhcloud_insights_vulnerabilities_e2e(
 
     :verifies: SAT-30762
     """
-    CVE_ID = 'CVE-2025-8058'
-    GLIBC_RPM = 'glibc-2.39-43.el10_0.x86_64'
-
     satellite = module_target_sat_insights
     client = rhel_insights_vm
     hostname = client.hostname
 
     # Remove any static repos and update to the latest packages available from the Satellite
     assert (
         client.execute(
-            "find /etc/yum.repos.d/ -type f | grep -vF redhat.repo | xargs -I '{}' rm '{}'"
+            'find /etc/yum.repos.d/ -type f | grep -vF redhat.repo | xargs -I \'{}\' rm \'{}\''
         ).status
         == 0
     )
     assert client.execute('dnf -y update').status == 0
 
-    # Downgrade to vulnerable glibc version
-    assert client.execute(f'dnf downgrade -y {GLIBC_RPM}').status == 0
+    # Install vulnerable mariadb version (dnf install with NEVRA handles install/downgrade)
+    assert client.execute(f'dnf install -y {constants.RHEL10_VULNERABLE_MARIADB_RPM}').status == 0
+    # Run insights-client to report the vulnerabilities to Satellite
+    assert client.execute('insights-client').status == 0
 
     with satellite.ui_session() as session:
         session.organization.select(org_name=rhcloud_manifest_org.name)
@@ -104,14 +122,258 @@ def test_rhcloud_insights_vulnerabilities_e2e(
         assert status['Red Hat Lightspeed']['Status'] == 'Reporting'
 
         vulnerabilities = session.host_new.get_vulnerabilities(hostname)
-        assert any(vuln.get('CVE ID') == CVE_ID for vuln in vulnerabilities)
+        assert any(
+            vuln.get('CVE ID') == constants.RHEL10_VULNERABILITY_CVE_ID for vuln in vulnerabilities
+        )
 
         # Validate the affected Host from the Vulnerability details and list pages
-        affected_host = session.cloudvulnerability.get_affected_hosts_by_cve(CVE_ID)
+        affected_host = session.cloudvulnerability.get_affected_hosts_by_cve(
+            constants.RHEL10_VULNERABILITY_CVE_ID
+        )
         assert affected_host[0]['Name'] == hostname
 
         # Validate the Host's Vulnerabilities tab
         vulnerabilities = session.cloudvulnerability.validate_cve_to_host_details_flow(
-            CVE_ID, hostname
+            constants.RHEL10_VULNERABILITY_CVE_ID, hostname
+        )
+        assert any(
+            vuln.get('CVE ID') == constants.RHEL10_VULNERABILITY_CVE_ID for vuln in vulnerabilities
+        )
+
+
+@pytest.mark.e2e
+@pytest.mark.no_containers
+@pytest.mark.rhel_ver_match('10')
+@pytest.mark.parametrize('module_target_sat_insights', [False], ids=['local'], indirect=True)
+def test_edit_business_risk_and_status_individual(
+    vulnerable_rhel_host,
+    rhcloud_manifest_org,
+    module_target_sat_insights,
+    setup_content_for_iop,
+):
+    """Test editing business risk and status for individual CVEs from the table
+
+    :id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
+
+    :steps:
+        1. Create a CVE by downgrading a vulnerable package
+        2. Navigate to Vulnerabilities page
+        3. Edit business risk for the CVE via row kebab menu
+        4. Verify business risk updated in table
+        5. Edit status for the CVE via row kebab menu
+        6. Verify status updated in table
+
+    :expectedresults:
+        1. Business risk can be edited and persists in the table
+        2. Status can be edited and persists in the table
+    """
+    satellite = module_target_sat_insights
+
+    with satellite.ui_session() as session:
+        session.organization.select(org_name=rhcloud_manifest_org.name)
+
+        # Edit business risk via row kebab menu
+        session.cloudvulnerability.edit_business_risk(
+            constants.RHEL10_VULNERABILITY_CVE_ID, 'High', 'Test justification'
+        )
+
+        # Verify business risk in table
+        vulns = session.cloudvulnerability.read()
+        cve_row = [row for row in vulns if row['CVE ID'] == constants.RHEL10_VULNERABILITY_CVE_ID]
+        assert len(cve_row) == 1, (
+            f'Expected 1 CVE with ID {constants.RHEL10_VULNERABILITY_CVE_ID}, found {len(cve_row)}'
+        )
+        cve_row = cve_row[0]
+        assert cve_row['Business risk'] == 'High'
+
+        # Edit status
+        session.cloudvulnerability.edit_status(
+            constants.RHEL10_VULNERABILITY_CVE_ID, 'In review', 'Testing status edit'
+        )
+
+        # Verify status in table
+        vulns = session.cloudvulnerability.read()
+        cve_row = [row for row in vulns if row['CVE ID'] == constants.RHEL10_VULNERABILITY_CVE_ID]
+        assert len(cve_row) == 1, (
+            f'Expected 1 CVE with ID {constants.RHEL10_VULNERABILITY_CVE_ID}, found {len(cve_row)}'
+        )
+        cve_row = cve_row[0]
+        assert cve_row['Status'] == 'In review'
+
+
+@pytest.mark.e2e
+@pytest.mark.no_containers
+@pytest.mark.rhel_ver_match('10')
+@pytest.mark.parametrize('module_target_sat_insights', [False], ids=['local'], indirect=True)
+def test_bulk_edit_business_risk_and_status(
+    vulnerable_rhel_host,
+    rhcloud_manifest_org,
+    module_target_sat_insights,
+    setup_content_for_iop,
+):
+    """Test bulk editing business risk and status for multiple CVEs
+
+    :id: 898904b5-fb95-43f9-8c33-cd107f00c206
+
+    :steps:
+        1. Create multiple CVEs by downgrading vulnerable mariadb package
+        2. Navigate to Vulnerabilities page
+        3. Select multiple CVEs (2 of the 3 CVEs created by mariadb)
+        4. Use bulk actions menu to edit business risk
+        5. Verify business risk updated for all selected CVEs
+        6. Use bulk actions menu to edit status
+        7. Verify status updated for all selected CVEs
+
+    :expectedresults:
+        1. Multiple CVEs can be selected via checkboxes
+        2. Bulk business risk edit applies to all selected CVEs
+        3. Bulk status edit applies to all selected CVEs
+    """
+    satellite = module_target_sat_insights
+
+    with satellite.ui_session() as session:
+        session.organization.select(org_name=rhcloud_manifest_org.name)
+
+        # Use the first 2 CVEs from the mariadb package for deterministic bulk edit testing
+        cve_ids = constants.RHEL10_VULNERABLE_MARIADB_CVES[:2]
+
+        # Bulk edit business risk
+        session.cloudvulnerability.bulk_edit_business_risk(cve_ids, 'Critical', 'Bulk test')
+
+        # Verify business risk updated for all selected CVEs
+        vulns_after = session.cloudvulnerability.read()
+        for cve_id in cve_ids:
+            cve_row = [row for row in vulns_after if row['CVE ID'] == cve_id]
+            assert len(cve_row) == 1, f'Expected 1 CVE with ID {cve_id}, found {len(cve_row)}'
+            assert cve_row[0]['Business risk'] == 'Critical', (
+                f'Business risk not updated for {cve_id}'
+            )
+
+        # Bulk edit status
+        session.cloudvulnerability.bulk_edit_status(cve_ids, 'Resolved', 'Testing bulk status')
+
+        # Verify status updated for all selected CVEs
+        vulns_after = session.cloudvulnerability.read()
+        for cve_id in cve_ids:
+            cve_row = [row for row in vulns_after if row['CVE ID'] == cve_id]
+            assert len(cve_row) == 1, f'Expected 1 CVE with ID {cve_id}, found {len(cve_row)}'
+            assert cve_row[0]['Status'] == 'Resolved', f'Status not updated for {cve_id}'
+
+
+@pytest.mark.e2e
+@pytest.mark.no_containers
+@pytest.mark.rhel_ver_match('10')
+@pytest.mark.parametrize('module_target_sat_insights', [False], ids=['local'], indirect=True)
+def test_edit_from_cve_details_page(
+    vulnerable_rhel_host,
+    rhcloud_manifest_org,
+    module_target_sat_insights,
+    setup_content_for_iop,
+):
+    """Test editing business risk and status from the CVE details page
+
+    :id: 71e2f929-6536-439d-a734-10fc8a73967b
+
+    :steps:
+        1. Create a CVE by downgrading a vulnerable package
+        2. Navigate to CVE details page
+        3. Edit business risk via Actions dropdown
+        4. Verify business risk updated in main vulnerabilities table
+        5. Navigate to CVE details page again
+        6. Edit status via Actions dropdown
+        7. Verify status updated in main vulnerabilities table
+
+    :expectedresults:
+        1. Business risk can be edited from CVE details page Actions dropdown
+        2. Status can be edited from CVE details page Actions dropdown
+        3. Changes persist and are visible in main vulnerabilities table
+    """
+    satellite = module_target_sat_insights
+
+    with satellite.ui_session() as session:
+        session.organization.select(org_name=rhcloud_manifest_org.name)
+
+        # Edit business risk from CVE details page
+        session.cloudvulnerability.edit_business_risk_from_details(
+            constants.RHEL10_VULNERABILITY_CVE_ID, 'Low', 'Low priority via details page'
+        )
+
+        # Verify business risk in main table
+        vulns = session.cloudvulnerability.read()
+        cve_row = [row for row in vulns if row['CVE ID'] == constants.RHEL10_VULNERABILITY_CVE_ID]
+        assert len(cve_row) == 1, (
+            f'Expected 1 CVE with ID {constants.RHEL10_VULNERABILITY_CVE_ID}, found {len(cve_row)}'
+        )
+        assert cve_row[0]['Business risk'] == 'Low'
+
+        # Edit status from CVE details page
+        session.cloudvulnerability.edit_status_from_details(
+            constants.RHEL10_VULNERABILITY_CVE_ID,
+            'No action - risk accepted',
+            'Risk accepted via details page',
+        )
+
+        # Verify status in main table
+        vulns = session.cloudvulnerability.read()
+        cve_row = [row for row in vulns if row['CVE ID'] == constants.RHEL10_VULNERABILITY_CVE_ID]
+        assert len(cve_row) == 1, (
+            f'Expected 1 CVE with ID {constants.RHEL10_VULNERABILITY_CVE_ID}, found {len(cve_row)}'
+        )
+        assert cve_row[0]['Status'] == 'No action - risk accepted'
+
+
+@pytest.mark.e2e
+@pytest.mark.no_containers
+@pytest.mark.rhel_ver_match('10')
+@pytest.mark.parametrize('module_target_sat_insights', [False], ids=['local'], indirect=True)
+def test_filter_by_os_version(
+    vulnerable_rhel_host,
+    rhcloud_manifest_org,
+    module_target_sat_insights,
+    setup_content_for_iop,
+):
+    """Test filtering vulnerabilities by OS version
+
+    :id: 2790b179-2d98-4a7a-af59-f020bebd4413
+
+    :steps:
+        1. Create a CVE by downgrading a vulnerable package
+        2. Navigate to Vulnerabilities page
+        3. Apply OS filter for RHEL 10
+        4. Verify filtered results are displayed
+        5. Verify CVE appears in filtered results
+
+    :expectedresults:
+        1. OS filter can be applied successfully
+        2. Table displays only CVEs that apply to the selected OS version
+        3. The created CVE appears in the filtered results
+    """
+    satellite = module_target_sat_insights
+
+    with satellite.ui_session() as session:
+        session.organization.select(org_name=rhcloud_manifest_org.name)
+
+        # Read vulnerabilities before filtering
+        vulns_before = session.cloudvulnerability.read()
+        assert vulns_before, 'No vulnerabilities found before filtering'
+
+        # Apply OS filter for RHEL 10
+        session.cloudvulnerability.filter_by_os(['RHEL 10'])
+
+        # Read vulnerabilities after filtering
+        vulns_after = session.cloudvulnerability.read()
+        assert vulns_after, 'No results after filtering - filter may have failed'
+
+        # Verify we got filtered results (should be same or fewer than before)
+        assert len(vulns_after) <= len(vulns_before), (
+            f'Filter should reduce or maintain results: '
+            f'before={len(vulns_before)}, after={len(vulns_after)}'
+        )
+
+        # Verify our CVE appears in the filtered results
+        cve_found = any(
+            row['CVE ID'] == constants.RHEL10_VULNERABILITY_CVE_ID for row in vulns_after
+        )
+        assert cve_found, (
+            f'CVE {constants.RHEL10_VULNERABILITY_CVE_ID} should appear in RHEL 10 filtered results'
         )
-        assert any(vuln.get('CVE ID') == CVE_ID for vuln in vulnerabilities)
