Merge branch '276498_start_auto_fix_after_ingestion' into 'master'

Schedule AutoFix background job after ingesting the security reports See merge request gitlab-org/gitlab!72957

Merge branch '276498_start_auto_fix_after_ingestion' into 'master'
Schedule AutoFix background job after ingesting the security reports See merge request gitlab-org/gitlab!72957
03226ec9 · Vitali Tatarintev · fd995d96 · f496649e · 03226ec9 · 03226ec9
Commit 03226ec9 authored Oct 26, 2021 by Vitali Tatarintev
2 changed files
--- a/ee/app/services/security/ingestion/ingest_reports_service.rb
+++ b/ee/app/services/security/ingestion/ingest_reports_service.rb
@@ -17,6 +17,7 @@ module Security
        store_reports
        mark_project_as_vulnerable!
        set_latest_pipeline!
+        schedule_auto_fix
      end

      private
@@ -31,7 +32,7 @@ module Security
      end

      def latest_security_scans
-        pipeline.security_scans.without_errors.latest
+        @latest_security_scans ||= pipeline.security_scans.without_errors.latest
      end

      def ingest(security_scan)
@@ -55,6 +56,22 @@ module Security
      def set_latest_pipeline!
        Vulnerabilities::Statistic.set_latest_pipeline_with(pipeline)
      end
+
+      def schedule_auto_fix
+        ::Security::AutoFixWorker.perform_async(pipeline.id) if auto_fix_enabled?
+      end
+
+      def auto_fix_enabled?
+        project.security_setting&.auto_fix_enabled? && has_auto_fixable_report_type?
+      end
+
+      def has_auto_fixable_report_type?
+        (project.security_setting.auto_fix_enabled_types & report_types).any?
+      end
+
+      def report_types
+        latest_security_scans.map(&:scan_type).map(&:to_sym)
+      end
    end
  end
 end
--- a/ee/spec/services/security/ingestion/ingest_reports_service_spec.rb
+++ b/ee/spec/services/security/ingestion/ingest_reports_service_spec.rb
@@ -10,7 +10,7 @@ RSpec.describe Security::Ingestion::IngestReportsService do
  let_it_be(:build) { create(:ci_build, pipeline: pipeline) }
  let_it_be(:security_scan_1) { create(:security_scan, build: build, scan_type: :sast) }
  let_it_be(:security_scan_2) { create(:security_scan, :with_error, build: build, scan_type: :dast) }
-  let_it_be(:security_scan_3) { create(:security_scan, build: build, scan_type: :secret_detection) }
+  let_it_be(:security_scan_3) { create(:security_scan, build: build, scan_type: :dependency_scanning) }
  let_it_be(:vulnerability_1) { create(:vulnerability, project: pipeline.project) }
  let_it_be(:vulnerability_2) { create(:vulnerability, project: pipeline.project) }

@@ -38,5 +38,53 @@ RSpec.describe Security::Ingestion::IngestReportsService do
                               .and change { vulnerability_2.reload.resolved_on_default_branch }.from(false).to(true)
                               .and not_change { vulnerability_1.reload.resolved_on_default_branch }.from(false)
    end
+
+    describe 'scheduling the AutoFix background job' do
+      let(:auto_fix_dependency_scanning?) { false }
+
+      before do
+        allow(Security::AutoFixWorker).to receive(:perform_async)
+        allow(project.security_setting).to receive(:auto_fix_enabled?).and_return(auto_fix_enabled?)
+        project.security_setting.update!(auto_fix_container_scanning: false, auto_fix_dependency_scanning: auto_fix_dependency_scanning?)
+
+        ingest_reports
+      end
+
+      context 'when the auto_fix is not enabled for the project' do
+        let(:auto_fix_enabled?) { false }
+
+        context 'when the pipeline does not have any auto fix enabled report type' do
+          it 'does not schedule the background job' do
+            expect(Security::AutoFixWorker).not_to have_received(:perform_async)
+          end
+        end
+
+        context 'when the pipeline has an auto fix enabled report type' do
+          let(:auto_fix_dependency_scanning?) { true }
+
+          it 'does not schedule the background job' do
+            expect(Security::AutoFixWorker).not_to have_received(:perform_async)
+          end
+        end
+      end
+
+      context 'when the auto_fix is enabled for the project' do
+        let(:auto_fix_enabled?) { true }
+
+        context 'when the pipeline does not have any auto fix enabled report type' do
+          it 'does not schedule the background job' do
+            expect(Security::AutoFixWorker).not_to have_received(:perform_async)
+          end
+        end
+
+        context 'when the pipeline has an auto fix enabled report type' do
+          let(:auto_fix_dependency_scanning?) { true }
+
+          it 'does not schedule the background job' do
+            expect(Security::AutoFixWorker).to have_received(:perform_async)
+          end
+        end
+      end
+    end
  end
 end