Commit f496649e authored by Mehmet Emin INAC's avatar Mehmet Emin INAC

Schedule AutoFix background job after ingesting the security reports

Changelog: fixed
EE: true
parent 96623f6f
...@@ -17,6 +17,7 @@ module Security ...@@ -17,6 +17,7 @@ module Security
store_reports store_reports
mark_project_as_vulnerable! mark_project_as_vulnerable!
set_latest_pipeline! set_latest_pipeline!
schedule_auto_fix
end end
private private
...@@ -31,7 +32,7 @@ module Security ...@@ -31,7 +32,7 @@ module Security
end end
def latest_security_scans def latest_security_scans
pipeline.security_scans.without_errors.latest @latest_security_scans ||= pipeline.security_scans.without_errors.latest
end end
def ingest(security_scan) def ingest(security_scan)
...@@ -55,6 +56,22 @@ module Security ...@@ -55,6 +56,22 @@ module Security
def set_latest_pipeline! def set_latest_pipeline!
Vulnerabilities::Statistic.set_latest_pipeline_with(pipeline) Vulnerabilities::Statistic.set_latest_pipeline_with(pipeline)
end end
def schedule_auto_fix
::Security::AutoFixWorker.perform_async(pipeline.id) if auto_fix_enabled?
end
def auto_fix_enabled?
project.security_setting&.auto_fix_enabled? && has_auto_fixable_report_type?
end
def has_auto_fixable_report_type?
(project.security_setting.auto_fix_enabled_types & report_types).any?
end
def report_types
latest_security_scans.map(&:scan_type).map(&:to_sym)
end
end end
end end
end end
...@@ -10,7 +10,7 @@ RSpec.describe Security::Ingestion::IngestReportsService do ...@@ -10,7 +10,7 @@ RSpec.describe Security::Ingestion::IngestReportsService do
let_it_be(:build) { create(:ci_build, pipeline: pipeline) } let_it_be(:build) { create(:ci_build, pipeline: pipeline) }
let_it_be(:security_scan_1) { create(:security_scan, build: build, scan_type: :sast) } let_it_be(:security_scan_1) { create(:security_scan, build: build, scan_type: :sast) }
let_it_be(:security_scan_2) { create(:security_scan, :with_error, build: build, scan_type: :dast) } let_it_be(:security_scan_2) { create(:security_scan, :with_error, build: build, scan_type: :dast) }
let_it_be(:security_scan_3) { create(:security_scan, build: build, scan_type: :secret_detection) } let_it_be(:security_scan_3) { create(:security_scan, build: build, scan_type: :dependency_scanning) }
let_it_be(:vulnerability_1) { create(:vulnerability, project: pipeline.project) } let_it_be(:vulnerability_1) { create(:vulnerability, project: pipeline.project) }
let_it_be(:vulnerability_2) { create(:vulnerability, project: pipeline.project) } let_it_be(:vulnerability_2) { create(:vulnerability, project: pipeline.project) }
...@@ -38,5 +38,53 @@ RSpec.describe Security::Ingestion::IngestReportsService do ...@@ -38,5 +38,53 @@ RSpec.describe Security::Ingestion::IngestReportsService do
.and change { vulnerability_2.reload.resolved_on_default_branch }.from(false).to(true) .and change { vulnerability_2.reload.resolved_on_default_branch }.from(false).to(true)
.and not_change { vulnerability_1.reload.resolved_on_default_branch }.from(false) .and not_change { vulnerability_1.reload.resolved_on_default_branch }.from(false)
end end
describe 'scheduling the AutoFix background job' do
let(:auto_fix_dependency_scanning?) { false }
before do
allow(Security::AutoFixWorker).to receive(:perform_async)
allow(project.security_setting).to receive(:auto_fix_enabled?).and_return(auto_fix_enabled?)
project.security_setting.update!(auto_fix_container_scanning: false, auto_fix_dependency_scanning: auto_fix_dependency_scanning?)
ingest_reports
end
context 'when the auto_fix is not enabled for the project' do
let(:auto_fix_enabled?) { false }
context 'when the pipeline does not have any auto fix enabled report type' do
it 'does not schedule the background job' do
expect(Security::AutoFixWorker).not_to have_received(:perform_async)
end
end
context 'when the pipeline has an auto fix enabled report type' do
let(:auto_fix_dependency_scanning?) { true }
it 'does not schedule the background job' do
expect(Security::AutoFixWorker).not_to have_received(:perform_async)
end
end
end
context 'when the auto_fix is enabled for the project' do
let(:auto_fix_enabled?) { true }
context 'when the pipeline does not have any auto fix enabled report type' do
it 'does not schedule the background job' do
expect(Security::AutoFixWorker).not_to have_received(:perform_async)
end
end
context 'when the pipeline has an auto fix enabled report type' do
let(:auto_fix_dependency_scanning?) { true }
it 'does not schedule the background job' do
expect(Security::AutoFixWorker).to have_received(:perform_async)
end
end
end
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment