Merge branch '247490-vuln-blocked-pipeline-in-security-dashboard' into 'master'

Extend state transition that initiate creation of vulnerabilities in database to blocked pipeline state See merge request gitlab-org/gitlab!56779

Merge branch '247490-vuln-blocked-pipeline-in-security-dashboard' into 'master'
Extend state transition that initiate creation of vulnerabilities in database to blocked pipeline state See merge request gitlab-org/gitlab!56779
13d059fa · Sean McGivern · 8b3f42f9 · f9f56b76 · 13d059fa · 13d059fa
Commit 13d059fa authored Mar 25, 2021 by Sean McGivern
5 changed files
--- a/app/models/concerns/ci/has_status.rb
+++ b/app/models/concerns/ci/has_status.rb
@@ -43,6 +43,14 @@ module Ci
      def completed_statuses
        COMPLETED_STATUSES.map(&:to_sym)
      end
+
+      def blocked_statuses
+        BLOCKED_STATUS.map(&:to_sym)
+      end
+
+      def completed_and_blocked_statuses
+        completed_statuses + blocked_statuses
+      end
    end

    included do

--- a/ee/app/models/ee/ci/pipeline.rb
+++ b/ee/app/models/ee/ci/pipeline.rb
@@ -52,7 +52,7 @@ module EE
        }.freeze

        state_machine :status do
-          after_transition any => ::Ci::Pipeline.completed_statuses do |pipeline|
+          after_transition any => ::Ci::Pipeline.completed_and_blocked_statuses do |pipeline|
            next unless pipeline.can_store_security_reports?

            pipeline.run_after_commit do

--- a/ee/changelogs/unreleased/247490-vuln-blocked-pipeline-in-security-dashboard.yml
+++ b/ee/changelogs/unreleased/247490-vuln-blocked-pipeline-in-security-dashboard.yml
+---
+title: Extend state transition that initiate creation of vulnerabilities in database
+  to blocked pipeline state
+merge_request: 56779
+author:
+type: added
--- a/ee/spec/models/ci/pipeline_spec.rb
+++ b/ee/spec/models/ci/pipeline_spec.rb
@@ -164,63 +164,69 @@ RSpec.describe Ci::Pipeline do
    end
  end

-  describe 'Store security reports worker' do
-    shared_examples_for 'storing the security reports' do |transition|
-      let(:default_branch) { pipeline.ref }
+  shared_examples_for 'storing the security reports' do |transition|
+    let(:default_branch) { pipeline.ref }

-      subject(:transition_pipeline) { pipeline.update!(status_event: transition) }
+    subject(:transition_pipeline) { pipeline.update!(status_event: transition) }

-      before do
-        allow(StoreSecurityReportsWorker).to receive(:perform_async)
-        allow(project).to receive(:default_branch).and_return(default_branch)
-        allow(pipeline).to receive(:can_store_security_reports?).and_return(can_store_security_reports)
-      end
+    before do
+      allow(StoreSecurityReportsWorker).to receive(:perform_async)
+      allow(::Security::StoreScansWorker).to receive(:perform_async)
+      allow(SyncSecurityReportsToReportApprovalRulesWorker).to receive(:perform_async)
+      allow(project).to receive(:default_branch).and_return(default_branch)
+      allow(pipeline).to receive(:can_store_security_reports?).and_return(can_store_security_reports)
+    end

-      context 'when the security reports can be stored for the pipeline' do
-        let(:can_store_security_reports) { true }
+    context 'when the security reports can be stored for the pipeline' do
+      let(:can_store_security_reports) { true }

-        context 'when the ref is the default branch of project' do
-          it 'schedules store security report worker' do
-            transition_pipeline
+      context 'when the ref is the default branch of project' do
+        it 'schedules relevant workers', :aggregate_failures do
+          transition_pipeline

-            expect(StoreSecurityReportsWorker).to have_received(:perform_async).with(pipeline.id)
-          end
+          expect(StoreSecurityReportsWorker).to have_received(:perform_async).with(pipeline.id)
+          expect(::Security::StoreScansWorker).to have_received(:perform_async).with(pipeline.id)
+          expect(SyncSecurityReportsToReportApprovalRulesWorker).to have_received(:perform_async).with(pipeline.id)
        end
+      end

-        context 'when the ref is not the default branch of project' do
-          let(:default_branch) { 'another_branch' }
+      context 'when the ref is not the default branch of project' do
+        let(:default_branch) { 'another_branch' }

-          it 'does not schedule store security report worker' do
-            transition_pipeline
+        it 'does not schedule store security report worker' do
+          transition_pipeline

-            expect(StoreSecurityReportsWorker).not_to have_received(:perform_async)
-          end
+          expect(StoreSecurityReportsWorker).not_to have_received(:perform_async)
        end
      end
+    end

-      context 'when the security reports can not be stored for the pipeline' do
-        let(:can_store_security_reports) { false }
+    context 'when the security reports can not be stored for the pipeline' do
+      let(:can_store_security_reports) { false }

-        context 'when the ref is the default branch of project' do
-          it 'does not schedule store security report worker' do
-            transition_pipeline
+      context 'when the ref is the default branch of project', :aggregate_failures do
+        it 'does not relevant workers' do
+          transition_pipeline

-            expect(StoreSecurityReportsWorker).not_to have_received(:perform_async)
-          end
+          expect(StoreSecurityReportsWorker).not_to have_received(:perform_async)
+          expect(::Security::StoreScansWorker).not_to have_received(:perform_async)
+          expect(SyncSecurityReportsToReportApprovalRulesWorker).not_to have_received(:perform_async)
        end
+      end

-        context 'when the ref is not the default branch of project' do
-          let(:default_branch) { 'another_branch' }
+      context 'when the ref is not the default branch of project' do
+        let(:default_branch) { 'another_branch' }

-          it 'does not schedule store security report worker' do
-            transition_pipeline
+        it 'does not schedule store security report worker' do
+          transition_pipeline

-            expect(StoreSecurityReportsWorker).not_to have_received(:perform_async)
-          end
+          expect(StoreSecurityReportsWorker).not_to have_received(:perform_async)
        end
      end
    end
+  end

+  describe 'schedules security report related workers' do
    context 'when pipeline is succeeded' do
      it_behaves_like 'storing the security reports', :succeed
    end
@@ -236,6 +242,10 @@ RSpec.describe Ci::Pipeline do
    context 'when pipeline is canceled' do
      it_behaves_like 'storing the security reports', :cancel
    end
+
+    context 'when pipeline is blocked' do
+      it_behaves_like 'storing the security reports', :block
+    end
  end

  describe '#license_scanning_reports' do

--- a/spec/models/concerns/ci/has_status_spec.rb
+++ b/spec/models/concerns/ci/has_status_spec.rb
@@ -197,6 +197,12 @@ RSpec.describe Ci::HasStatus do
    end
  end

+  describe '.completed_and_blocked_statuses' do
+    subject { Ci::Pipeline.completed_and_blocked_statuses }
+
+    it { is_expected.to eq [:success, :failed, :canceled, :skipped, :manual, :scheduled] }
+  end
+
  context 'for scope with one status' do
    shared_examples 'having a job' do |status|
      %i[ci_build generic_commit_status].each do |type|