Use finding signatures in deduplication logic

Somehow GitLab Gosec security scanner is generating duplicate findings which is causing conflicts while creating the Security::Finding records on UUID column therefore we are now using the signature hex values to deduplicate the findings. Changelog: fixed EE: true

Use finding signatures in deduplication logic
Somehow GitLab Gosec security scanner is generating duplicate findings which is causing conflicts while creating the Security::Finding records on UUID column therefore we are now using the signature hex values to deduplicate the findings. Changelog: fixed EE: true
7b452dba · Mehmet Emin INAC · 63dbcadc · 7b452dba · 7b452dba
Commit 7b452dba authored Jan 31, 2022 by Mehmet Emin INAC
Showing with 20 additions and 8 deletions

ee/spec/lib/gitlab/ci/reports/security/finding_spec.rb ee/spec/lib/gitlab/ci/reports/security/finding_spec.rb +5 -2

lib/gitlab/ci/reports/security/finding.rb lib/gitlab/ci/reports/security/finding.rb +15 -6

No files found.
--- a/ee/spec/lib/gitlab/ci/reports/security/finding_spec.rb
+++ b/ee/spec/lib/gitlab/ci/reports/security/finding_spec.rb
@@ -357,11 +357,14 @@ RSpec.describe Gitlab::Ci::Reports::Security::Finding do
    let(:identifier_1) { build(:ci_reports_security_identifier) }
    let(:identifier_2) { build(:ci_reports_security_identifier) }
    let(:location) { build(:ci_reports_security_locations_sast) }
-    let(:finding) { build(:ci_reports_security_finding, identifiers: [identifier_1, identifier_2], location: location) }
+    let(:signature) { build(:ci_reports_security_finding_signature, signature_value: 'value') }
+    let(:finding) { build(:ci_reports_security_finding, identifiers: [identifier_1, identifier_2], location: location, vulnerability_finding_signatures_enabled: true, signatures: [signature]) }
    let(:expected_keys) do
      [
        build(:ci_reports_security_finding_key, location_fingerprint: location.fingerprint, identifier_fingerprint: identifier_1.fingerprint),
-        build(:ci_reports_security_finding_key, location_fingerprint: location.fingerprint, identifier_fingerprint: identifier_2.fingerprint)
+        build(:ci_reports_security_finding_key, location_fingerprint: location.fingerprint, identifier_fingerprint: identifier_2.fingerprint),
+        build(:ci_reports_security_finding_key, location_fingerprint: signature.signature_hex, identifier_fingerprint: identifier_1.fingerprint),
+        build(:ci_reports_security_finding_key, location_fingerprint: signature.signature_hex, identifier_fingerprint: identifier_2.fingerprint)
      ]
    end

--- a/lib/gitlab/ci/reports/security/finding.rb
+++ b/lib/gitlab/ci/reports/security/finding.rb
@@ -122,8 +122,10 @@ module Gitlab
          end
          def keys
-            @keys ||= identifiers.reject(&:type_identifier?).map do |identifier|
+            @keys ||= identifiers.reject(&:type_identifier?).flat_map do |identifier|
-              FindingKey.new(location_fingerprint: location&.fingerprint, identifier_fingerprint: identifier.fingerprint)
+              location_fingerprints.map do |location_fingerprint|
+                FindingKey.new(location_fingerprint: location_fingerprint, identifier_fingerprint: identifier.fingerprint)
+              end
            end
          end
@@ -171,8 +173,10 @@ module Gitlab
            original_data['location']
          end
+          # Returns either the max priority signature hex
+          # or the location fingerprint
          def location_fingerprint
-            max_priority_signature_hex || location&.fingerprint
+            location_fingerprints.first
          end
          private
@@ -181,10 +185,15 @@ module Gitlab
            Digest::SHA1.hexdigest(compare_key)
          end
-          def max_priority_signature_hex
+          def location_fingerprints
-            return unless @vulnerability_finding_signatures_enabled && signatures.present?
+            @location_fingerprints ||= signature_hexes << location&.fingerprint
+          end
+          # Returns the signature hexes in reverse priority order
+          def signature_hexes
+            return [] unless @vulnerability_finding_signatures_enabled && signatures.present?
-            signatures.max_by(&:priority).signature_hex
+            signatures.sort_by(&:priority).map(&:signature_hex).reverse
          end
        end
      end