Commit fc0bc17f authored by Avielle Wolfe's avatar Avielle Wolfe Committed by James Lopez

Fix fetching of undismissed vulnerabilities

Full matching of a vulnerability finding with its feedback requires
a comparison of the project_fingerprint, project, and category.

We were only checking the project_fingerprint, so we were reporting
undismissed feedback as dismissed if there was another dismissal
feedback that had the same project_fingerprint but was either for
another project or in another report type.

https://gitlab.com/gitlab-org/gitlab/issues/36958
parent 305dedf9
...@@ -152,6 +152,8 @@ module Vulnerabilities ...@@ -152,6 +152,8 @@ module Vulnerabilities
where( where(
"NOT EXISTS (?)", "NOT EXISTS (?)",
Feedback.select(1) Feedback.select(1)
.where("#{table_name}.report_type = vulnerability_feedback.category")
.where("#{table_name}.project_id = vulnerability_feedback.project_id")
.where("ENCODE(#{table_name}.project_fingerprint, 'HEX') = vulnerability_feedback.project_fingerprint") # rubocop:disable GitlabSecurity/SqlInjection .where("ENCODE(#{table_name}.project_fingerprint, 'HEX') = vulnerability_feedback.project_fingerprint") # rubocop:disable GitlabSecurity/SqlInjection
.for_dismissal .for_dismissal
) )
......
---
title: Fix the hiding of undismissed vulnerabilities
merge_request: 20599
author:
type: fixed
...@@ -181,11 +181,13 @@ describe Group do ...@@ -181,11 +181,13 @@ describe Group do
it 'does not include projects that only have dismissed vulnerabilities' do it 'does not include projects that only have dismissed vulnerabilities' do
project = create(:project, namespace: group) project = create(:project, namespace: group)
vulnerability = create(:vulnerabilities_occurrence, project: project) vulnerability = create(:vulnerabilities_occurrence, report_type: :dast, project: project)
create( create(
:vulnerability_feedback, :vulnerability_feedback,
project_fingerprint: vulnerability.project_fingerprint, category: :dast,
feedback_type: :dismissal feedback_type: :dismissal,
project: project,
project_fingerprint: vulnerability.project_fingerprint
) )
vulnerable_projects = group.vulnerable_projects vulnerable_projects = group.vulnerable_projects
......
...@@ -284,15 +284,29 @@ describe Vulnerabilities::Occurrence do ...@@ -284,15 +284,29 @@ describe Vulnerabilities::Occurrence do
set(:project) { create(:project) } set(:project) { create(:project) }
set(:project2) { create(:project) } set(:project2) { create(:project) }
let!(:finding1) { create(:vulnerabilities_occurrence, project: project) } let!(:finding1) { create(:vulnerabilities_occurrence, project: project) }
let!(:finding2) { create(:vulnerabilities_occurrence, project: project) } let!(:finding2) { create(:vulnerabilities_occurrence, project: project, report_type: :dast) }
let!(:finding3) { create(:vulnerabilities_occurrence, project: project2) } let!(:finding3) { create(:vulnerabilities_occurrence, project: project2) }
before do before do
create( create(
:vulnerability_feedback, :vulnerability_feedback,
:dismissal, :dismissal,
project: finding1.project,
project_fingerprint: finding1.project_fingerprint project_fingerprint: finding1.project_fingerprint
) )
create(
:vulnerability_feedback,
:dismissal,
project_fingerprint: finding2.project_fingerprint,
project: project2
)
create(
:vulnerability_feedback,
:dismissal,
category: :sast,
project_fingerprint: finding2.project_fingerprint,
project: finding2.project
)
end end
it 'returns all non-dismissed occurrences' do it 'returns all non-dismissed occurrences' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment