Expose commit sha on Vulnerabilities::Occurrence

Presenter for Vulnerabilities::Occurrence doesn't generate blob_path
if sha is missing. For some cases sha is dynamically added via joined
table, for pipeline reports sha is completely missing. To make
behavior more consistent we will introduce sha related accessors and
will populate it from either reports or joined queries.

ee/app/finders/security/pipeline_vulnerabilities_finder.rb

@@ -87,6 +87,7 @@ module Security
         occurrence.vulnerability = vulnerabilities[occurrence.project_fingerprint]
 
         occurrence.project = pipeline.project
+        occurrence.sha = pipeline.sha
         occurrence.build_scanner(report_occurrence.scanner.to_hash)
         occurrence.identifiers = report_occurrence.identifiers.map do |identifier|
           Vulnerabilities::Identifier.new(identifier.to_hash)

ee/app/models/vulnerabilities/occurrence.rb

@@ -25,6 +25,8 @@ module Vulnerabilities
     has_many :occurrence_pipelines, class_name: 'Vulnerabilities::OccurrencePipeline'
     has_many :pipelines, through: :occurrence_pipelines, class_name: 'Ci::Pipeline'
 
+    attr_writer :sha
+
     CONFIDENCE_LEVELS = {
       undefined: 0,
       ignore: 1,
@@ -127,6 +129,11 @@ module Vulnerabilities
                 'vulnerabilities.id, vulnerabilities.state') # fetching only required attributes
     end
 
+    # sha can be sourced from a joined pipeline or set from the report
+    def sha
+      self[:sha] || @sha
+    end
+
     def state
       return 'dismissed' if dismissal_feedback.present?
 

ee/app/presenters/vulnerabilities/occurrence_presenter.rb

@@ -5,7 +5,7 @@ module Vulnerabilities
     presents :occurrence
 
     def blob_path
-      return '' unless respond_to?(:sha)
+      return '' unless sha.present?
       return '' unless location.present? && location['file'].present?
 
       add_line_numbers(location['start_line'], location['end_line'])

ee/changelogs/unreleased/bug-vulnerability-occurence-blob-path.yml

+---
+title: Expose commit sha on Vulnerabilities::Occurrence
+merge_request: 19668
+author:
+type: fixed

ee/spec/finders/security/pipeline_vulnerabilities_finder_spec.rb

@@ -22,6 +22,7 @@ describe Security::PipelineVulnerabilitiesFinder do
   describe '#execute' do
     set(:project) { create(:project, :repository) }
     set(:pipeline) { create(:ci_pipeline, :success, project: project) }
+    let(:params) { {} }
 
     set(:build_cs) { create(:ci_build, :success, name: 'cs_job', pipeline: pipeline, project: project) }
     set(:build_dast) { create(:ci_build, :success, name: 'dast_job', pipeline: pipeline, project: project) }
@@ -52,6 +53,10 @@ describe Security::PipelineVulnerabilitiesFinder do
 
     subject { described_class.new(pipeline: pipeline, params: params).execute }
 
+    it 'assigns commit sha to findings' do
+      expect(subject.map(&:sha).uniq).to eq [pipeline.sha]
+    end
+
     context 'by order' do
       let(:params) { { report_type: %w[sast] } }
       let!(:high_high) { build(:vulnerabilities_occurrence, confidence: :high, severity: :high) }

ee/spec/presenters/vulnerabilities/occurrence_presenter_spec.rb

@@ -15,10 +15,11 @@ describe Vulnerabilities::OccurrencePresenter do
 
     context 'with a sha' do
       before do
-        allow_any_instance_of(Vulnerabilities::Occurrence).to receive(:sha)
-          .and_return('abc')
+        occurrence.sha = 'abc'
       end
 
+      it { is_expected.to include(occurrence.sha) }
+
       context 'without start_line or end_line' do
         before do
           allow(presenter).to receive(:location)