Merge branch 'bug/vulnerability-occurence-blob-path' into 'master'

Expose commit sha on Vulnerabilities::Occurrence See merge request gitlab-org/gitlab!19668

Merge branch 'bug/vulnerability-occurence-blob-path' into 'master'
Expose commit sha on Vulnerabilities::Occurrence See merge request gitlab-org/gitlab!19668
e1357145 · Heinrich Lee Yu · d112cc07 · f6a74737 · e1357145 · e1357145
Commit e1357145 authored Nov 07, 2019 by Heinrich Lee Yu
6 changed files
--- a/ee/app/finders/security/pipeline_vulnerabilities_finder.rb
+++ b/ee/app/finders/security/pipeline_vulnerabilities_finder.rb
@@ -87,6 +87,7 @@ module Security
        occurrence.vulnerability = vulnerabilities[occurrence.project_fingerprint]
        occurrence.project = pipeline.project
+        occurrence.sha = pipeline.sha
        occurrence.build_scanner(report_occurrence.scanner.to_hash)
        occurrence.identifiers = report_occurrence.identifiers.map do |identifier|
          Vulnerabilities::Identifier.new(identifier.to_hash)

--- a/ee/app/models/vulnerabilities/occurrence.rb
+++ b/ee/app/models/vulnerabilities/occurrence.rb
@@ -25,6 +25,8 @@ module Vulnerabilities
    has_many :occurrence_pipelines, class_name: 'Vulnerabilities::OccurrencePipeline'
    has_many :pipelines, through: :occurrence_pipelines, class_name: 'Ci::Pipeline'
+    attr_writer :sha
    CONFIDENCE_LEVELS = {
      undefined: 0,
      ignore: 1,
@@ -127,6 +129,11 @@ module Vulnerabilities
                'vulnerabilities.id, vulnerabilities.state') # fetching only required attributes
    end
+    # sha can be sourced from a joined pipeline or set from the report
+    def sha
+      self[:sha] || @sha
+    end
    def state
      return 'dismissed' if dismissal_feedback.present?

--- a/ee/app/presenters/vulnerabilities/occurrence_presenter.rb
+++ b/ee/app/presenters/vulnerabilities/occurrence_presenter.rb
@@ -5,7 +5,7 @@ module Vulnerabilities
    presents :occurrence
    def blob_path
-      return '' unless respond_to?(:sha)
+      return '' unless sha.present?
      return '' unless location.present? && location['file'].present?
      add_line_numbers(location['start_line'], location['end_line'])

--- a/ee/changelogs/unreleased/bug-vulnerability-occurence-blob-path.yml
+++ b/ee/changelogs/unreleased/bug-vulnerability-occurence-blob-path.yml
+---
+title: Expose commit sha on Vulnerabilities::Occurrence
+merge_request: 19668
+author:
+type: fixed
--- a/ee/spec/finders/security/pipeline_vulnerabilities_finder_spec.rb
+++ b/ee/spec/finders/security/pipeline_vulnerabilities_finder_spec.rb
@@ -22,6 +22,7 @@ describe Security::PipelineVulnerabilitiesFinder do
  describe '#execute' do
    set(:project) { create(:project, :repository) }
    set(:pipeline) { create(:ci_pipeline, :success, project: project) }
+    let(:params) { {} }
    set(:build_cs) { create(:ci_build, :success, name: 'cs_job', pipeline: pipeline, project: project) }
    set(:build_dast) { create(:ci_build, :success, name: 'dast_job', pipeline: pipeline, project: project) }
@@ -52,6 +53,10 @@ describe Security::PipelineVulnerabilitiesFinder do
    subject { described_class.new(pipeline: pipeline, params: params).execute }
+    it 'assigns commit sha to findings' do
+      expect(subject.map(&:sha).uniq).to eq [pipeline.sha]
+    end
    context 'by order' do
      let(:params) { { report_type: %w[sast] } }
      let!(:high_high) { build(:vulnerabilities_occurrence, confidence: :high, severity: :high) }

--- a/ee/spec/presenters/vulnerabilities/occurrence_presenter_spec.rb
+++ b/ee/spec/presenters/vulnerabilities/occurrence_presenter_spec.rb
@@ -15,10 +15,11 @@ describe Vulnerabilities::OccurrencePresenter do
    context 'with a sha' do
      before do
-        allow_any_instance_of(Vulnerabilities::Occurrence).to receive(:sha)
+        occurrence.sha = 'abc'
-          .and_return('abc')
      end
+      it { is_expected.to include(occurrence.sha) }
      context 'without start_line or end_line' do
        before do
          allow(presenter).to receive(:location)