Merge branch '355802-find-or-initialize-scanner-with-project_id' into 'master'

Find or initialize Scanners using project_id

See merge request gitlab-org/gitlab!82923

ee/app/services/vulnerabilities/manually_create_service.rb

@@ -65,10 +65,9 @@ module Vulnerabilities
       # In the GraphQL mutation mutation arguments we want to respect the security scanner schema:
       # https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/src/security-report-format.json#L339
       # So the id provided to the mutation is actually external_id in our database
-      Vulnerabilities::Scanner.find_or_initialize_by(external_id: scanner_hash[:id]) do |s|
+      Vulnerabilities::Scanner.find_or_initialize_by(external_id: scanner_hash[:id], project_id: @project.id) do |s|
         s.name = scanner_hash[:name]
         s.vendor = scanner_hash.dig(:vendor, :name).to_s
-        s.project = @project
       end
     end
     # rubocop: enable CodeReuse/ActiveRecord

ee/spec/services/vulnerabilities/manually_create_service_spec.rb

@@ -10,6 +10,7 @@ RSpec.describe Vulnerabilities::ManuallyCreateService do
   let_it_be(:user) { create(:user) }
 
   let(:project) { create(:project) } # cannot use let_it_be here: caching causes problems with permission-related tests
+  let(:different_project) { create(:project) }
 
   subject { described_class.new(project, user, params: params).execute }
 
@@ -108,10 +109,21 @@ RSpec.describe Vulnerabilities::ManuallyCreateService do
       end
 
       context 'when Scanner already exists' do
-        let!(:scanner) { create(:vulnerabilities_scanner, external_id: scanner_attributes[:id]) }
+        let!(:scanner) { create(:vulnerabilities_scanner, external_id: scanner_attributes[:id], project: project) }
 
         it 'does not create a new Scanner' do
           expect { subject }.to change(Vulnerabilities::Scanner, :count).by(0)
+          expect(vulnerability.finding.scanner_id).to eq(scanner.id)
+        end
+      end
+
+      # See https://gitlab.com/gitlab-org/gitlab/-/issues/355802#note_874700035
+      context 'when Scanner with the same name exists in a different project' do
+        let!(:scanner) { create(:vulnerabilities_scanner, external_id: scanner_attributes[:id], project: different_project) }
+
+        it 'creates a new Scanner in the correct project', :aggregate_failures do
+          expect { subject }.to change(Vulnerabilities::Scanner, :count).by(1)
+          expect(vulnerability.finding.scanner_id).not_to eq(scanner.id)
         end
       end