Fix fetching of undismissed vulnerabilities

Full matching of a vulnerability finding with its feedback requires a comparison of the project_fingerprint, project, and category. We were only checking the project_fingerprint, so we were reporting undismissed feedback as dismissed if there was another dismissal feedback that had the same project_fingerprint but was either for another project or in another report type. https://gitlab.com/gitlab-org/gitlab/issues/36958

Fix fetching of undismissed vulnerabilities
Full matching of a vulnerability finding with its feedback requires a comparison of the project_fingerprint, project, and category. We were only checking the project_fingerprint, so we were reporting undismissed feedback as dismissed if there was another dismissal feedback that had the same project_fingerprint but was either for another project or in another report type. https://gitlab.com/gitlab-org/gitlab/issues/36958
fc0bc17f · Avielle Wolfe · James Lopez · 305dedf9 · fc0bc17f · fc0bc17f
Commit fc0bc17f authored Dec 03, 2019 by Avielle Wolfe Committed by James Lopez Dec 03, 2019
4 changed files
--- a/ee/app/models/vulnerabilities/occurrence.rb
+++ b/ee/app/models/vulnerabilities/occurrence.rb
@@ -152,6 +152,8 @@ module Vulnerabilities
      where(
        "NOT EXISTS (?)",
        Feedback.select(1)
+        .where("#{table_name}.report_type = vulnerability_feedback.category")
+        .where("#{table_name}.project_id = vulnerability_feedback.project_id")
        .where("ENCODE(#{table_name}.project_fingerprint, 'HEX') = vulnerability_feedback.project_fingerprint") # rubocop:disable GitlabSecurity/SqlInjection
        .for_dismissal
      )

--- a/ee/changelogs/unreleased/36958-fix-undismissed.yml
+++ b/ee/changelogs/unreleased/36958-fix-undismissed.yml
+---
+title: Fix the hiding of undismissed vulnerabilities
+merge_request: 20599
+author:
+type: fixed
--- a/ee/spec/models/group_spec.rb
+++ b/ee/spec/models/group_spec.rb
@@ -181,11 +181,13 @@ describe Group do

    it 'does not include projects that only have dismissed vulnerabilities' do
      project = create(:project, namespace: group)
-      vulnerability = create(:vulnerabilities_occurrence, project: project)
+      vulnerability = create(:vulnerabilities_occurrence, report_type: :dast, project: project)
      create(
        :vulnerability_feedback,
-        project_fingerprint: vulnerability.project_fingerprint,
-        feedback_type: :dismissal
+        category: :dast,
+        feedback_type: :dismissal,
+        project: project,
+        project_fingerprint: vulnerability.project_fingerprint
      )

      vulnerable_projects = group.vulnerable_projects

--- a/ee/spec/models/vulnerabilities/occurrence_spec.rb
+++ b/ee/spec/models/vulnerabilities/occurrence_spec.rb
@@ -284,15 +284,29 @@ describe Vulnerabilities::Occurrence do
    set(:project) { create(:project) }
    set(:project2) { create(:project) }
    let!(:finding1) { create(:vulnerabilities_occurrence, project: project) }
-    let!(:finding2) { create(:vulnerabilities_occurrence, project: project) }
+    let!(:finding2) { create(:vulnerabilities_occurrence, project: project, report_type: :dast) }
    let!(:finding3) { create(:vulnerabilities_occurrence, project: project2) }

    before do
      create(
        :vulnerability_feedback,
        :dismissal,
+        project: finding1.project,
        project_fingerprint: finding1.project_fingerprint
      )
+      create(
+        :vulnerability_feedback,
+        :dismissal,
+        project_fingerprint: finding2.project_fingerprint,
+        project: project2
+      )
+      create(
+        :vulnerability_feedback,
+        :dismissal,
+        category: :sast,
+        project_fingerprint: finding2.project_fingerprint,
+        project: finding2.project
+      )
    end

    it 'returns all non-dismissed occurrences' do