Limit the number of identifiers we create

We are limiting the number of identifiers we create per finding as 20. This number is not a hard limit which means we are not raising an error in case if there are findings with more than 20 identifiers. We are just taking the first 20 identifiers and ignoring the rest if there are more than that.

Limit the number of identifiers we create
We are limiting the number of identifiers we create per finding as 20. This number is not a hard limit which means we are not raising an error in case if there are findings with more than 20 identifiers. We are just taking the first 20 identifiers and ignoring the rest if there are more than that.
d7f2a35c · Mehmet Emin INAC · 2076e547 · d7f2a35c · d7f2a35c · d7f2a35c
Commit d7f2a35c authored Oct 19, 2020 by Mehmet Emin INAC
5 changed files
--- a/ee/app/models/vulnerabilities/finding.rb
+++ b/ee/app/models/vulnerabilities/finding.rb
@@ -11,6 +11,7 @@ module Vulnerabilities
    self.table_name = "vulnerability_occurrences"

    FINDINGS_PER_PAGE = 20
+    MAX_NUMBER_OF_IDENTIFIERS = 20

    paginates_per FINDINGS_PER_PAGE


--- a/ee/app/services/security/store_report_service.rb
+++ b/ee/app/services/security/store_report_service.rb
@@ -54,7 +54,9 @@ module Security

      update_vulnerability_finding(vulnerability_finding, vulnerability_params)

-      finding.identifiers.map do |identifier|
+      # The maximum number of identifiers is not used in validation
+      # we just want to ignore the rest if a finding has more than that.
+      finding.identifiers.take(Vulnerabilities::Finding::MAX_NUMBER_OF_IDENTIFIERS).map do |identifier| # rubocop: disable CodeReuse/ActiveRecord
        create_or_update_vulnerability_identifier_object(vulnerability_finding, identifier)
      end


--- a/ee/spec/factories/ci/job_artifacts.rb
+++ b/ee/spec/factories/ci/job_artifacts.rb
@@ -12,6 +12,16 @@ FactoryBot.define do
      end
    end

+    trait :with_exceeding_identifiers do
+      file_type { :sast }
+      file_format { :raw }
+
+      after(:build) do |artifact, _|
+        artifact.file = fixture_file_upload(
+          Rails.root.join('ee/spec/fixtures/security_reports/master/gl-sast-report-with-exceeding-identifiers.json'), 'application/json')
+      end
+    end
+
    trait :secret_detection do
      file_type { :secret_detection }
      file_format { :raw }

--- a/ee/spec/fixtures/security_reports/master/gl-sast-report-with-exceeding-identifiers.json
+++ b/ee/spec/fixtures/security_reports/master/gl-sast-report-with-exceeding-identifiers.json
+{
+  "version": "1.2",
+  "vulnerabilities": [
+    {
+      "category": "sast",
+      "message": "Probable insecure usage of temp file/directory.",
+      "cve": "python/hardcoded/hardcoded-tmp.py:52865813c884a507be1f152d654245af34aba8a391626d01f1ab6d3f52ec8779:B108",
+      "severity": "Medium",
+      "confidence": "Medium",
+      "scanner": {
+        "id": "bandit",
+        "name": "Bandit"
+      },
+      "location": {
+        "file": "python/hardcoded/hardcoded-tmp.py",
+        "start_line": 1,
+        "end_line": 1
+      },
+      "identifiers": [
+        {
+          "type": "bandit_test_id_1",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_2",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_3",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_4",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_5",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_6",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_7",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_8",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_9",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_10",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_11",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_12",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_13",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_14",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_15",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_16",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_17",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_18",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_19",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_20",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        },
+        {
+          "type": "bandit_test_id_21",
+          "name": "Bandit Test ID B108",
+          "value": "B108",
+          "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
+        }
+      ],
+      "priority": "Medium",
+      "file": "python/hardcoded/hardcoded-tmp.py",
+      "line": 1,
+      "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html",
+      "tool": "bandit"
+    }
+  ],
+  "remediations": [],
+  "scan": {
+    "scanner": {
+      "id": "gosec",
+      "name": "Gosec",
+      "url": "https://github.com/securego/gosec",
+      "vendor": {
+        "name": "GitLab"
+      },
+      "version": "2.3.0"
+    },
+    "type": "sast",
+    "status": "success",
+    "start_time": "placeholder-value",
+    "end_time": "placeholder-value"
+  }
+}
--- a/ee/spec/services/security/store_report_service_spec.rb
+++ b/ee/spec/services/security/store_report_service_spec.rb
@@ -4,7 +4,8 @@ require 'spec_helper'

 RSpec.describe Security::StoreReportService, '#execute' do
  let_it_be(:user) { create(:user) }
-  let(:artifact) { create(:ee_ci_job_artifact, report_type) }
+  let(:artifact) { create(:ee_ci_job_artifact, trait) }
+  let(:report_type) { artifact.file_type }
  let(:project) { artifact.project }
  let(:pipeline) { artifact.job.pipeline }
  let(:report) { pipeline.security_reports.get_report(report_type.to_s, artifact) }
@@ -23,10 +24,11 @@ RSpec.describe Security::StoreReportService, '#execute' do

    using RSpec::Parameterized::TableSyntax

-    where(:case_name, :report_type, :scanners, :identifiers, :findings, :finding_identifiers, :finding_pipelines) do
-      'with SAST report'                | :sast                | 3 | 17 | 33 | 39 | 33
-      'with Dependency Scanning report' | :dependency_scanning | 2 | 7  | 4  | 7  | 4
-      'with Container Scanning report'  | :container_scanning  | 1 | 8  | 8  | 8  | 8
+    where(:case_name, :trait, :scanners, :identifiers, :findings, :finding_identifiers, :finding_pipelines) do
+      'with SAST report'                | :sast                       | 3 | 17 | 33 | 39 | 33
+      'with exceeding identifiers'      | :with_exceeding_identifiers | 1 | 20 | 1  | 20 | 1
+      'with Dependency Scanning report' | :dependency_scanning        | 2 | 7  | 4  | 7  | 4
+      'with Container Scanning report'  | :container_scanning         | 1 | 8  | 8  | 8  | 8
    end

    with_them do
@@ -85,7 +87,7 @@ RSpec.describe Security::StoreReportService, '#execute' do
    let(:new_build) { create(:ci_build, pipeline: new_pipeline) }
    let(:new_pipeline) { create(:ci_pipeline, project: project) }
    let(:new_report) { new_pipeline.security_reports.get_report(report_type.to_s, artifact) }
-    let(:report_type) { :sast }
+    let(:trait) { :sast }

    let!(:finding) do
      create(:vulnerabilities_finding,
@@ -180,7 +182,7 @@ RSpec.describe Security::StoreReportService, '#execute' do

  context 'with existing data from same pipeline' do
    let!(:finding) { create(:vulnerabilities_finding, project: project, pipelines: [pipeline]) }
-    let(:report_type) { :sast }
+    let(:trait) { :sast }

    it 'skips report' do
      expect(subject).to eq({