Commit 0619c402 authored by Mehmet Emin INAC's avatar Mehmet Emin INAC Committed by Markus Koller

Do not store invalid security findings

UUID will be a required attribute for the `Security::Finding` model so
creating records without it shouldn't happen.
parent a61bd329
...@@ -23,7 +23,6 @@ module Security ...@@ -23,7 +23,6 @@ module Security
private private
delegate :findings, to: :report, prefix: true
delegate :project, to: :security_scan delegate :project, to: :security_scan
def already_stored? def already_stored?
...@@ -34,9 +33,11 @@ module Security ...@@ -34,9 +33,11 @@ module Security
report_findings.each_with_index { |report_finding, position| store_finding!(report_finding, position) } report_findings.each_with_index { |report_finding, position| store_finding!(report_finding, position) }
end end
def store_finding!(report_finding, position) def report_findings
return if report_finding.scanner.blank? report.findings.select(&:valid?)
end
def store_finding!(report_finding, position)
security_scan.findings.create!(finding_data(report_finding, position)) security_scan.findings.create!(finding_data(report_finding, position))
end end
......
---
title: Do not store invalid security_findings into the database
merge_request: 50868
author:
type: fixed
...@@ -93,7 +93,7 @@ module Gitlab ...@@ -93,7 +93,7 @@ module Gitlab
end end
def valid? def valid?
scanner.present? && primary_identifier.present? && location.present? scanner.present? && primary_identifier.present? && location.present? && uuid.present?
end end
def keys def keys
......
...@@ -287,12 +287,14 @@ RSpec.describe Gitlab::Ci::Reports::Security::Finding do ...@@ -287,12 +287,14 @@ RSpec.describe Gitlab::Ci::Reports::Security::Finding do
let(:scanner) { build(:ci_reports_security_scanner) } let(:scanner) { build(:ci_reports_security_scanner) }
let(:identifiers) { [build(:ci_reports_security_identifier)] } let(:identifiers) { [build(:ci_reports_security_identifier)] }
let(:location) { build(:ci_reports_security_locations_sast) } let(:location) { build(:ci_reports_security_locations_sast) }
let(:uuid) { SecureRandom.uuid }
let(:finding) do let(:finding) do
build(:ci_reports_security_finding, build(:ci_reports_security_finding,
scanner: scanner, scanner: scanner,
identifiers: identifiers, identifiers: identifiers,
location: location, location: location,
uuid: uuid,
compare_key: '') compare_key: '')
end end
...@@ -316,6 +318,12 @@ RSpec.describe Gitlab::Ci::Reports::Security::Finding do ...@@ -316,6 +318,12 @@ RSpec.describe Gitlab::Ci::Reports::Security::Finding do
it { is_expected.to be_falsey } it { is_expected.to be_falsey }
end end
context 'when the uuid is missing' do
let(:uuid) { nil }
it { is_expected.to be_falsey }
end
context 'when all required attributes present' do context 'when all required attributes present' do
it { is_expected.to be_truthy } it { is_expected.to be_truthy }
end end
......
...@@ -7,11 +7,12 @@ RSpec.describe Security::StoreFindingsMetadataService do ...@@ -7,11 +7,12 @@ RSpec.describe Security::StoreFindingsMetadataService do
let_it_be(:project) { security_scan.project } let_it_be(:project) { security_scan.project }
let_it_be(:security_finding_1) { build(:ci_reports_security_finding) } let_it_be(:security_finding_1) { build(:ci_reports_security_finding) }
let_it_be(:security_finding_2) { build(:ci_reports_security_finding) } let_it_be(:security_finding_2) { build(:ci_reports_security_finding) }
let_it_be(:security_finding_3) { build(:ci_reports_security_finding, uuid: nil) }
let_it_be(:security_scanner) { build(:ci_reports_security_scanner) } let_it_be(:security_scanner) { build(:ci_reports_security_scanner) }
let_it_be(:report) do let_it_be(:report) do
build( build(
:ci_reports_security_report, :ci_reports_security_report,
findings: [security_finding_1, security_finding_2], findings: [security_finding_1, security_finding_2, security_finding_3],
scanners: [security_scanner] scanners: [security_scanner]
) )
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment