Merge branch 'security-fix-vuln-with-existing-feedback' into 'master'

Fix vulnerability_feedback create service

See merge request gitlab-org/security/gitlab!300

ee/app/services/vulnerability_feedback/create_service.rb

@@ -19,7 +19,7 @@ module VulnerabilityFeedback
         vulnerability_feedback.save
       end
 
-      if vulnerability_feedback.persisted?
+      if vulnerability_feedback.persisted? && vulnerability_feedback.valid?
         success(vulnerability_feedback)
       else
         rollback_merge_request(vulnerability_feedback.merge_request) if vulnerability_feedback.merge_request

ee/changelogs/unreleased/security-vuln-w-existing-feedback-pipeline.yml

+---
+title: Enforce existing vulnerability feedback pipeline is in the same project
+merge_request:
+author:
+type: security

ee/spec/services/vulnerability_feedback/create_service_spec.rb

@@ -208,6 +208,26 @@ describe VulnerabilityFeedback::CreateService, '#execute' do
     end
   end
 
+  context 'when feedback exists' do
+    let!(:feedback) { create(:vulnerability_feedback, project: project) }
+    let(:another_pipeline) { create(:ci_pipeline) }
+    let(:feedback_params) do
+      {
+        feedback_type: feedback.feedback_type, pipeline_id: another_pipeline.id, category: feedback.category,
+        project_fingerprint: feedback.project_fingerprint,
+        comment: feedback.comment,
+        vulnerability_data: feedback.vulnerability_data
+      }
+    end
+
+    it 'returns error when params are invalid' do
+      result = described_class.new(project, user, feedback_params).execute
+
+      expect(result[:status]).to eq(:error)
+      expect(result[:message][:pipeline]).to eq(["must associate the same project"])
+    end
+  end
+
   context 'when params are invalid' do
     context 'when vulnerability_data params is missing and feedback_type is issue' do
       let(:feedback_params) do