Commit 08a6b921 authored by can eldem's avatar can eldem

Store new location fingerprint for CS vulnerabilities

Store new location for CS vulnerabilities
Update existing CS vulnerability locations
parent 603bce88
......@@ -69,10 +69,14 @@ module Security
}
begin
project
.vulnerability_findings
.create_with(create_params)
.find_or_create_by!(find_params)
if finding.location.respond_to?(:new_fingerprint)
create_or_update_vulnerability_finding(finding, create_params, find_params)
else
project
.vulnerability_findings
.create_with(create_params)
.find_or_create_by!(find_params)
end
rescue ActiveRecord::RecordNotUnique
project.vulnerability_findings.find_by!(find_params)
rescue ActiveRecord::RecordInvalid => e
......@@ -80,6 +84,25 @@ module Security
end
end
# temporary, once existing data has updated it will be removed
# https://gitlab.com/gitlab-org/gitlab/-/issues/229594
def create_or_update_vulnerability_finding(finding, create_params, find_params)
existing_findings = project.vulnerability_findings
new_fingerprint = finding.location.new_fingerprint
new_find_params = find_params.merge(location_fingerprint: new_fingerprint)
finding = existing_findings.where(find_params)
.or(existing_findings.where(new_find_params)).first
if !finding.blank? && finding.location_fingerprint != new_fingerprint
finding.update_column(:location_fingerprint, new_fingerprint)
elsif finding.nil?
finding = existing_findings.create!(create_params.merge(new_find_params))
end
finding
end
def update_vulnerability_scanner(finding)
scanner = scanners_objects[finding.scanner.key]
scanner.update!(finding.scanner.to_hash)
......
---
title: Store/Update new location fingerprint for container scanning vulnerabilities
merge_request: 39696
author:
type: other
......@@ -55,6 +55,33 @@ RSpec.describe Security::StoreReportService, '#execute' do
end
end
context 'with container scanning vulnerabilities' do
let(:artifact) { create(:ee_ci_job_artifact, :container_scanning) }
let(:project) { artifact.project }
let(:pipeline) { artifact.job.pipeline }
let(:report) { pipeline.security_reports.get_report('container_scanning', artifact) }
it 'saves with new location' do
new_locations = report.findings.map(&:location).map(&:new_fingerprint)
expect(subject).to eq({ status: :success })
saved_locations = Vulnerabilities::Finding.all.map(&:location_fingerprint)
expect(new_locations).to match_array(saved_locations)
end
it 'updates existing location' do
allow_any_instance_of(described_class).to receive(:executed?).and_return(false)
expect(subject).to eq({ status: :success })
old_fingerprint = report.findings.first.location.fingerprint
new_fingerprint = report.findings.first.location.new_fingerprint
Vulnerabilities::Finding.first.update_column(:location_fingerprint, old_fingerprint)
described_class.new(pipeline, report).execute
expect(Vulnerabilities::Finding.first.location_fingerprint).to eq(new_fingerprint)
end
end
context 'invalid data' do
let(:artifact) { create(:ee_ci_job_artifact, :sast) }
let(:finding_without_name) { build(:ci_reports_security_finding, name: nil) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment