Fix: include subgroups in security status

We weren't including projects from subgroups in the security status widget on the group security dashboard. This commit fixes that. https://gitlab.com/gitlab-org/gitlab/issues/119021

Fix: include subgroups in security status
We weren't including projects from subgroups in the security status widget on the group security dashboard. This commit fixes that. https://gitlab.com/gitlab-org/gitlab/issues/119021
2126266c · Avielle Wolfe · Mayra Cabrera · 4ed9af44 · 2126266c · 2126266c
Commit 2126266c authored Jan 29, 2020 by Avielle Wolfe Committed by Mayra Cabrera Jan 29, 2020
3 changed files
--- a/ee/app/models/ee/group.rb
+++ b/ee/app/models/ee/group.rb
@@ -151,7 +151,12 @@ module EE
    end

    def vulnerable_projects
-      projects.where("EXISTS(?)", ::Vulnerabilities::Occurrence.select(1).undismissed.where('vulnerability_occurrences.project_id = projects.id'))
+      vulnerabilities = ::Vulnerabilities::Occurrence
+        .select(1)
+        .undismissed
+        .where('vulnerability_occurrences.project_id = projects.id')
+
+      ::Project.for_group_and_its_subgroups(self).where("EXISTS(?)", vulnerabilities)
    end

    def human_ldap_access

--- a/ee/changelogs/unreleased/119021-fix-project-security-status-missing-subgroups.yml
+++ b/ee/changelogs/unreleased/119021-fix-project-security-status-missing-subgroups.yml
+---
+title: 'Fix include subgroups in security status'
+merge_request: 22653
+author:
+type: fixed
--- a/ee/spec/models/group_spec.rb
+++ b/ee/spec/models/group_spec.rb
@@ -273,6 +273,17 @@ describe Group do
      expect(vulnerable_projects.first).to eq(vulnerable_project)
    end

+    it 'includes projects in subgroups' do
+      subgroup = create(:group, parent: group)
+      project = create(:project, namespace: subgroup)
+      create(:vulnerabilities_occurrence, project: project)
+
+      vulnerable_projects = group.vulnerable_projects
+
+      expect(vulnerable_projects.count).to be(1)
+      expect(vulnerable_projects.first).to eq(project)
+    end
+
    it 'does not include projects that only have dismissed vulnerabilities' do
      project = create(:project, namespace: group)
      vulnerability = create(:vulnerabilities_occurrence, report_type: :dast, project: project)