Calculate UUIDv5 for Finding before saving

839a34f3 · Michał Zając · 14053e9f · 839a34f3 · 839a34f3
Commit 839a34f3 authored Sep 30, 2020 by Michał Zając
Showing with 32 additions and 2 deletions

ee/app/services/security/store_report_service.rb ee/app/services/security/store_report_service.rb +24 -2

ee/spec/services/security/store_report_service_spec.rb ee/spec/services/security/store_report_service_spec.rb +8 -0

No files found.
--- a/ee/app/services/security/store_report_service.rb
+++ b/ee/app/services/security/store_report_service.rb
@@ -72,10 +72,15 @@ module Security
      }

      begin
-        project
+        vulnerability_finding = project
          .vulnerability_findings
          .create_with(create_params)
-          .find_or_create_by!(find_params)
+          .find_or_initialize_by(find_params)
+
+        vulnerability_finding.uuid = calculcate_uuid_v5(vulnerability_finding, find_params)
+
+        vulnerability_finding.save!
+        vulnerability_finding
      rescue ActiveRecord::RecordNotUnique
        project.vulnerability_findings.find_by!(find_params)
      rescue ActiveRecord::RecordInvalid => e
@@ -83,6 +88,23 @@ module Security
      end
    end

+    def calculcate_uuid_v5(vulnerability_finding, finding_params)
+      uuid_v5_name_components = {
+        report_type: vulnerability_finding.report_type,
+        primary_identifier_fingerprint: vulnerability_finding.primary_identifier&.fingerprint || finding_params.dig(:primary_identifier, :fingerprint),
+        location_fingerprint: vulnerability_finding.location_fingerprint,
+        project_id: project.id
+      }
+
+      if uuid_v5_name_components.values.any?(&:nil?)
+        Gitlab::AppLogger.warn(message: "One or more UUID name components are nil", components: uuid_v5_name_components)
+      end
+
+      name = uuid_v5_name_components.values.join('-')
+
+      Gitlab::Vulnerabilities::CalculateFindingUUID.call(name)
+    end
+
    def update_vulnerability_scanner(finding)
      scanner = scanners_objects[finding.scanner.key]
      scanner.update!(finding.scanner.to_hash)

--- a/ee/spec/services/security/store_report_service_spec.rb
+++ b/ee/spec/services/security/store_report_service_spec.rb
@@ -53,6 +53,10 @@ RSpec.describe Security::StoreReportService, '#execute' do
      it 'inserts all vulnerabilties' do
        expect { subject }.to change { Vulnerability.count }.by(findings)
      end
+
+      it 'calculates UUIDv5 for all findings' do
+        expect(Vulnerabilities::Finding.pluck(:uuid)).to all(be_a(String))
+      end
    end

    context 'invalid data' do
@@ -118,6 +122,10 @@ RSpec.describe Security::StoreReportService, '#execute' do
      expect { subject }.to change { Vulnerabilities::Finding.count }.by(32)
    end

+    it 'calculates UUIDv5 for all findings' do
+      expect(Vulnerabilities::Finding.pluck(:uuid)).to all(be_a(String))
+    end
+
    it 'inserts all finding pipelines (join model) for this new pipeline' do
      expect { subject }.to change { Vulnerabilities::FindingPipeline.where(pipeline: new_pipeline).count }.by(33)
    end