Commit 80e79c7a authored by Mehmet Emin INAC's avatar Mehmet Emin INAC

Mark vulnerabilities as not resolved on default branch on ingestion

It's possible that a vulnerability can be marked as resolved on default
branch that later can be re-introduced by a new pipeline. In that case
we need to mark it as not resolved on default branch.

Changelog: fixed
EE: true
parent ba14ce92
...@@ -23,6 +23,7 @@ module Security ...@@ -23,6 +23,7 @@ module Security
title: report_finding.name.truncate(::Issuable::TITLE_LENGTH_MAX), title: report_finding.name.truncate(::Issuable::TITLE_LENGTH_MAX),
severity: report_finding.severity, severity: report_finding.severity,
confidence: report_finding.confidence, confidence: report_finding.confidence,
resolved_on_default_branch: false,
updated_at: Time.zone.now updated_at: Time.zone.now
} }
end end
......
...@@ -7,20 +7,24 @@ RSpec.describe Security::Ingestion::Tasks::IngestVulnerabilities do ...@@ -7,20 +7,24 @@ RSpec.describe Security::Ingestion::Tasks::IngestVulnerabilities do
let_it_be(:user) { create(:user) } let_it_be(:user) { create(:user) }
let_it_be(:pipeline) { create(:ci_pipeline, user: user) } let_it_be(:pipeline) { create(:ci_pipeline, user: user) }
let_it_be(:identifier) { create(:vulnerabilities_identifier) } let_it_be(:identifier) { create(:vulnerabilities_identifier) }
let_it_be(:existing_vulnerability) { create(:vulnerability, :detected, :with_finding, resolved_on_default_branch: true) }
let(:finding_maps) { create_list(:finding_map, 4) } let(:finding_maps) { create_list(:finding_map, 4) }
let(:existing_finding) { create(:vulnerabilities_finding, :detected) }
subject(:ingest_vulnerabilities) { described_class.new(pipeline, finding_maps).execute } subject(:ingest_vulnerabilities) { described_class.new(pipeline, finding_maps).execute }
before do before do
finding_maps.first.vulnerability_id = existing_finding.vulnerability_id finding_maps.first.vulnerability_id = existing_vulnerability.id
finding_maps.each { |finding_map| finding_map.identifier_ids << identifier.id } finding_maps.each { |finding_map| finding_map.identifier_ids << identifier.id }
end end
it 'ingests vulnerabilities' do it 'creates new vulnerabilities' do
expect { ingest_vulnerabilities }.to change { Vulnerability.count }.by(3) expect { ingest_vulnerabilities }.to change { Vulnerability.count }.by(3)
end end
it 'marks the existing vulnerability as not resolved on default branch' do
expect { ingest_vulnerabilities }.to change { existing_vulnerability.reload.resolved_on_default_branch }.to(false)
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment