Inject pipeline to security reports

Previously we were injecting only the commit sha to security reports
but to be able to make some calculations with the persisted findings
we will need the project information. Therefore, we are now injecting
the pipeline object to reports instead of the commit sha.

ee/app/models/ee/ci/pipeline.rb

@@ -102,7 +102,7 @@ module EE
       end
 
       def security_reports
-        ::Gitlab::Ci::Reports::Security::Reports.new(sha).tap do |security_reports|
+        ::Gitlab::Ci::Reports::Security::Reports.new(self).tap do |security_reports|
           builds.latest.with_reports(::Ci::JobArtifact.security_reports).each do |build|
             build.collect_security_reports!(security_reports)
           end

ee/app/services/security/merge_reports_service.rb

@@ -31,7 +31,7 @@ module Security
       sort_by_ds_analyzers!
       @target_report = ::Gitlab::Ci::Reports::Security::Report.new(
         @source_reports.first.type,
-        @source_reports.first.commit_sha,
+        @source_reports.first.pipeline,
         @source_reports.first.created_at
       )
       @findings = []

ee/lib/gitlab/ci/reports/security/report.rb

@@ -9,7 +9,7 @@ module Gitlab
 
           attr_reader :created_at
           attr_reader :type
-          attr_reader :commit_sha
+          attr_reader :pipeline
           attr_reader :findings
           attr_reader :scanners
           attr_reader :identifiers
@@ -17,9 +17,9 @@ module Gitlab
           attr_accessor :scanned_resources
           attr_accessor :error
 
-          def initialize(type, commit_sha, created_at)
+          def initialize(type, pipeline, created_at)
             @type = type
-            @commit_sha = commit_sha
+            @pipeline = pipeline
             @created_at = created_at
             @findings = []
             @scanners = {}
@@ -27,6 +27,10 @@ module Gitlab
             @scanned_resources = []
           end
 
+          def commit_sha
+            pipeline.sha
+          end
+
           def errored?
             error.present?
           end
@@ -44,7 +48,7 @@ module Gitlab
           end
 
           def clone_as_blank
-            Report.new(type, commit_sha, created_at)
+            Report.new(type, pipeline, created_at)
           end
 
           def replace_with!(other)

ee/lib/gitlab/ci/reports/security/reports.rb

@@ -5,17 +5,17 @@ module Gitlab
     module Reports
       module Security
         class Reports
-          attr_reader :reports, :commit_sha
+          attr_reader :reports, :pipeline
 
           delegate :empty?, to: :reports
 
-          def initialize(commit_sha)
+          def initialize(pipeline)
             @reports = {}
-            @commit_sha = commit_sha
+            @pipeline = pipeline
           end
 
           def get_report(report_type, report_artifact)
-            reports[report_type] ||= Report.new(report_type, commit_sha, report_artifact.created_at)
+            reports[report_type] ||= Report.new(report_type, pipeline, report_artifact.created_at)
           end
 
           def violates_default_policy?

ee/spec/factories/ci/reports/security/reports.rb

@@ -3,7 +3,7 @@
 FactoryBot.define do
   factory :ci_reports_security_report, class: '::Gitlab::Ci::Reports::Security::Report' do
     type { :sast }
-    commit_sha { Digest::SHA1.hexdigest(SecureRandom.hex) }
+    pipeline { build(:ci_pipeline) }
     created_at { 2.weeks.ago }
     scanned_resources { [] }
 
@@ -22,7 +22,7 @@ FactoryBot.define do
     skip_create
 
     initialize_with do
-      ::Gitlab::Ci::Reports::Security::Report.new(type, commit_sha, created_at)
+      ::Gitlab::Ci::Reports::Security::Report.new(type, pipeline, created_at)
     end
   end
 end

ee/spec/lib/gitlab/ci/parsers/security/common_spec.rb

@@ -4,8 +4,10 @@ require 'spec_helper'
 
 RSpec.describe Gitlab::Ci::Parsers::Security::Common do
   describe '#parse!' do
+    let_it_be(:pipeline) { create(:ci_pipeline) }
+
     let(:artifact) { build(:ee_ci_job_artifact, :dependency_scanning) }
-    let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, 'sha', 2.weeks.ago) }
+    let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, 2.weeks.ago) }
     let(:parser) { described_class.new }
 
     before do

ee/spec/lib/gitlab/ci/parsers/security/container_scanning_spec.rb

@@ -6,7 +6,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::ContainerScanning do
   let(:parser) { described_class.new }
   let(:project) { artifact.project }
   let(:pipeline) { artifact.job.pipeline }
-  let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline.sha, 2.weeks.ago) }
+  let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, 2.weeks.ago) }
 
   before do
     artifact.each_blob do |blob|

ee/spec/lib/gitlab/ci/parsers/security/coverage_fuzzing_spec.rb

@@ -5,7 +5,7 @@ require 'spec_helper'
 RSpec.describe Gitlab::Ci::Parsers::Security::CoverageFuzzing do
   let(:project) { artifact.project }
   let(:pipeline) { artifact.job.pipeline }
-  let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline.sha, 2.weeks.ago) }
+  let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, 2.weeks.ago) }
   let(:parser) { described_class.new }
   let(:artifact) { create(:ee_ci_job_artifact, :coverage_fuzzing) }
 

ee/spec/lib/gitlab/ci/parsers/security/dast_spec.rb

@@ -9,7 +9,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Dast do
     let(:project) { artifact.project }
     let(:pipeline) { artifact.job.pipeline }
     let(:artifact) { create(:ee_ci_job_artifact, :dast) }
-    let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline.sha, 2.weeks.ago) }
+    let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, 2.weeks.ago) }
     let(:parser) { described_class.new }
 
     where(:report_format,

ee/spec/lib/gitlab/ci/parsers/security/dependency_scanning_spec.rb

@@ -9,7 +9,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::DependencyScanning do
     let(:project) { artifact.project }
     let(:pipeline) { artifact.job.pipeline }
     let(:artifact) { create(:ee_ci_job_artifact, :dependency_scanning) }
-    let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline.sha, 2.weeks.ago) }
+    let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, 2.weeks.ago) }
     let(:parser) { described_class.new }
 
     where(:report_format, :occurrence_count, :identifier_count, :scanner_count, :file_path, :package_name, :package_version, :version) do

ee/spec/lib/gitlab/ci/parsers/security/sast_spec.rb

@@ -4,16 +4,17 @@ require 'spec_helper'
 
 RSpec.describe Gitlab::Ci::Parsers::Security::Sast do
   describe '#parse!' do
-    subject(:parser) { described_class.new }
+    let_it_be(:pipeline) { create(:ci_pipeline) }
 
-    let(:commit_sha) { "d8978e74745e18ce44d88814004d4255ac6a65bb" }
     let(:created_at) { 2.weeks.ago }
 
+    subject(:parser) { described_class.new }
+
     context "when parsing valid reports" do
       where(report_format: %i(sast sast_deprecated))
 
       with_them do
-        let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, commit_sha, created_at) }
+        let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, created_at) }
         let(:artifact) { create(:ee_ci_job_artifact, report_format) }
 
         before do
@@ -48,7 +49,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Sast do
     end
 
     context "when parsing an empty report" do
-      let(:report) { Gitlab::Ci::Reports::Security::Report.new('sast', commit_sha, created_at) }
+      let(:report) { Gitlab::Ci::Reports::Security::Report.new('sast', pipeline, created_at) }
       let(:blob) { Gitlab::Json.generate({}) }
 
       it { expect(parser.parse!(blob, report)).to be_empty }

ee/spec/lib/gitlab/ci/parsers/security/secret_detection_spec.rb

@@ -4,16 +4,17 @@ require 'spec_helper'
 
 RSpec.describe Gitlab::Ci::Parsers::Security::SecretDetection do
   describe '#parse!' do
-    subject(:parser) { described_class.new }
+    let_it_be(:pipeline) { create(:ci_pipeline) }
 
-    let(:commit_sha) { "d8978e74745e18ce44d88814004d4255ac6a65bb" }
     let(:created_at) { 2.weeks.ago }
 
+    subject(:parser) { described_class.new }
+
     context "when parsing valid reports" do
       where(report_format: %i(secret_detection))
 
       with_them do
-        let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, commit_sha, created_at) }
+        let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, created_at) }
         let(:artifact) { create(:ee_ci_job_artifact, report_format) }
 
         before do
@@ -48,7 +49,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::SecretDetection do
     end
 
     context "when parsing an empty report" do
-      let(:report) { Gitlab::Ci::Reports::Security::Report.new('secret_detection', commit_sha, created_at) }
+      let(:report) { Gitlab::Ci::Reports::Security::Report.new('secret_detection', pipeline, created_at) }
       let(:blob) { Gitlab::Json.generate({}) }
 
       it { expect(parser.parse!(blob, report)).to be_empty }

ee/spec/lib/gitlab/ci/reports/security/reports_spec.rb

@@ -3,9 +3,10 @@
 require 'spec_helper'
 
 RSpec.describe Gitlab::Ci::Reports::Security::Reports do
-  let(:commit_sha) { '20410773a37f49d599e5f0d45219b39304763538' }
-  let(:security_reports) { described_class.new(commit_sha) }
-  let(:artifact) { create(:ee_ci_job_artifact, :sast) }
+  let_it_be(:pipeline) { create(:ci_pipeline) }
+  let_it_be(:artifact) { create(:ee_ci_job_artifact, :sast) }
+
+  let(:security_reports) { described_class.new(pipeline) }
 
   describe '#get_report' do
     subject { security_reports.get_report(report_type, artifact) }
@@ -14,12 +15,11 @@ RSpec.describe Gitlab::Ci::Reports::Security::Reports do
       let(:report_type) { 'sast' }
 
       it { expect(subject.type).to eq('sast') }
-      it { expect(subject.commit_sha).to eq(commit_sha) }
       it { expect(subject.created_at).to eq(artifact.created_at) }
 
       it 'initializes a new report and returns it' do
         expect(Gitlab::Ci::Reports::Security::Report).to receive(:new)
-          .with('sast', commit_sha, artifact.created_at).and_call_original
+          .with('sast', pipeline, artifact.created_at).and_call_original
 
         is_expected.to be_a(Gitlab::Ci::Reports::Security::Report)
       end
@@ -39,7 +39,7 @@ RSpec.describe Gitlab::Ci::Reports::Security::Reports do
   end
 
   describe "#violates_default_policy?" do
-    subject { described_class.new(commit_sha) }
+    subject { described_class.new(pipeline) }
 
     let(:low_severity) { build(:ci_reports_security_finding, severity: 'low') }
     let(:high_severity) { build(:ci_reports_security_finding, severity: 'high') }

ee/spec/models/ci/build_spec.rb

@@ -157,7 +157,7 @@ RSpec.describe Ci::Build do
   end
 
   describe '#collect_security_reports!' do
-    let(:security_reports) { ::Gitlab::Ci::Reports::Security::Reports.new(pipeline.sha) }
+    let(:security_reports) { ::Gitlab::Ci::Reports::Security::Reports.new(pipeline) }
 
     subject { job.collect_security_reports!(security_reports) }
 

ee/spec/models/ci/pipeline_spec.rb

@@ -146,12 +146,9 @@ RSpec.describe Ci::Pipeline do
       let!(:cs1_artifact) { create(:ee_ci_job_artifact, :container_scanning, job: build_cs_1, project: project) }
       let!(:cs2_artifact) { create(:ee_ci_job_artifact, :container_scanning, job: build_cs_2, project: project) }
 
-      before do
-      end
-
-      it 'assigns pipeline commit_sha to the reports' do
-        expect(subject.commit_sha).to eq(pipeline.sha)
-        expect(subject.reports.values.map(&:commit_sha).uniq).to contain_exactly(pipeline.sha)
+      it 'assigns pipeline to the reports' do
+        expect(subject.pipeline).to eq(pipeline)
+        expect(subject.reports.values.map(&:pipeline).uniq).to contain_exactly(pipeline)
       end
 
       it 'returns security reports with collected data grouped as expected' do

ee/spec/services/security/store_reports_service_spec.rb

@@ -34,7 +34,7 @@ RSpec.describe Security::StoreReportsService do
       end
 
       context 'when StoreReportService returns an error for a report' do
-        let(:reports) { Gitlab::Ci::Reports::Security::Reports.new(pipeline.sha) }
+        let(:reports) { Gitlab::Ci::Reports::Security::Reports.new(pipeline) }
         let(:sast_report) { reports.get_report('sast', sast_artifact) }
         let(:dast_report) { reports.get_report('dast', dast_artifact) }
         let(:success) { { status: :success } }