Commit 32bf56fc authored by Mehmet Emin INAC's avatar Mehmet Emin INAC Committed by Igor Drozdov

Calculate location fingerprint by signature for findings if available

Changelog: fixed
EE: true
parent 9d52d643
...@@ -50,7 +50,7 @@ module Security ...@@ -50,7 +50,7 @@ module Security
project_fingerprint: project_fingerprint, project_fingerprint: project_fingerprint,
primary_identifier_id: identifier_ids.first, primary_identifier_id: identifier_ids.first,
location: report_finding.location_data, location: report_finding.location_data,
location_fingerprint: report_finding.location.fingerprint location_fingerprint: report_finding.location_fingerprint
) )
end end
end end
......
...@@ -120,7 +120,8 @@ module Security ...@@ -120,7 +120,8 @@ module Security
delegate :project, to: :pipeline, private: true delegate :project, to: :pipeline, private: true
def existing_scanners def existing_scanners
@existing_scanners ||= project.vulnerability_scanners.index_by(&:external_id) # Reloading the scanners will make sure that the collection proxy will be up-to-date.
@existing_scanners ||= project.vulnerability_scanners.reset.index_by(&:external_id)
end end
end end
end end
...@@ -98,7 +98,7 @@ module Security ...@@ -98,7 +98,7 @@ module Security
vulnerability_finding_to_finding_map[vulnerability_finding] = finding vulnerability_finding_to_finding_map[vulnerability_finding] = finding
update_vulnerability_finding(vulnerability_finding, vulnerability_params.merge(location: entity_params[:location], location_fingerprint: finding.location.fingerprint)) update_vulnerability_finding(vulnerability_finding, vulnerability_params.merge(location: entity_params[:location], location_fingerprint: finding.location_fingerprint))
reset_remediations_for(vulnerability_finding, finding) reset_remediations_for(vulnerability_finding, finding)
if project.licensed_feature_available?(:vulnerability_finding_signatures) if project.licensed_feature_available?(:vulnerability_finding_signatures)
...@@ -113,7 +113,7 @@ module Security ...@@ -113,7 +113,7 @@ module Security
find_params = { find_params = {
scanner: scanners_objects[finding.scanner.key], scanner: scanners_objects[finding.scanner.key],
primary_identifier: identifiers_objects[finding.primary_identifier.key], primary_identifier: identifiers_objects[finding.primary_identifier.key],
location_fingerprint: finding.location.fingerprint location_fingerprint: finding.location_fingerprint
} }
begin begin
......
...@@ -472,4 +472,48 @@ RSpec.describe Gitlab::Ci::Reports::Security::Finding do ...@@ -472,4 +472,48 @@ RSpec.describe Gitlab::Ci::Reports::Security::Finding do
it { is_expected.to eq([finding_2, finding_1, finding_3]) } it { is_expected.to eq([finding_2, finding_1, finding_3]) }
end end
describe '#location_fingerprint' do
let(:signature_1) { ::Gitlab::Ci::Reports::Security::FindingSignature.new(algorithm_type: 'location', signature_value: 'value1') }
let(:signature_2) { ::Gitlab::Ci::Reports::Security::FindingSignature.new(algorithm_type: 'scope_offset', signature_value: 'value2') }
let(:location) { build(:ci_reports_security_locations_sast) }
let(:finding) { build(:ci_reports_security_finding, vulnerability_finding_signatures_enabled: signatures_enabled, signatures: signatures, location: location) }
let(:fingerprint_from_location) { location.fingerprint }
let(:fingerprint_from_signature) { signature_2.signature_hex }
subject { finding.location_fingerprint }
context 'when the signatures feature is enabled' do
let(:signatures_enabled) { true }
context 'when the signatures are empty' do
let(:signatures) { [] }
it { is_expected.to eq(fingerprint_from_location) }
end
context 'when the signatures are not empty' do
let(:signatures) { [signature_1, signature_2] }
it { is_expected.to eq(fingerprint_from_signature) }
end
end
context 'when the signatures feature is not enabled' do
let(:signatures_enabled) { false }
context 'when the signatures are empty' do
let(:signatures) { [] }
it { is_expected.to eq(fingerprint_from_location) }
end
context 'when the signatures are not empty' do
let(:signatures) { [signature_1, signature_2] }
it { is_expected.to eq(fingerprint_from_location) }
end
end
end
end end
...@@ -379,13 +379,16 @@ RSpec.describe Security::StoreReportService, '#execute', :snowplow do ...@@ -379,13 +379,16 @@ RSpec.describe Security::StoreReportService, '#execute', :snowplow do
end end
it 'updates UUIDv4 to UUIDv5' do it 'updates UUIDv4 to UUIDv5' do
# We run `OverrideUuidsService` if the signatures are enabled which
# kinda disables the logic of this test.
next if vulnerability_finding_signatures
finding.uuid = '00000000-1111-2222-3333-444444444444' finding.uuid = '00000000-1111-2222-3333-444444444444'
finding.save! finding.save!
# this report_finding should be used to update the finding's uuid # this report_finding should be used to update the finding's uuid
report_finding = new_report.findings.find { |f| f.location.fingerprint == '0e7d0291d912f56880e39d4fbd80d99dd5d327ba' } report_finding = new_report.findings.find { |f| f.location.fingerprint == '0e7d0291d912f56880e39d4fbd80d99dd5d327ba' }
allow(report_finding).to receive(:uuid).and_return(desired_uuid) allow(report_finding).to receive(:uuid).and_return(desired_uuid)
report_finding.signatures.pop
subject subject
......
...@@ -171,11 +171,21 @@ module Gitlab ...@@ -171,11 +171,21 @@ module Gitlab
original_data['location'] original_data['location']
end end
def location_fingerprint
max_priority_signature_hex || location&.fingerprint
end
private private
def generate_project_fingerprint def generate_project_fingerprint
Digest::SHA1.hexdigest(compare_key) Digest::SHA1.hexdigest(compare_key)
end end
def max_priority_signature_hex
return unless @vulnerability_finding_signatures_enabled && signatures.present?
signatures.max_by(&:priority).signature_hex
end
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment