Merge branch 'disable-auto-resolution-of-secret-detection-findings' into 'master'

Exclude secret_detection findings from autoresolution See merge request gitlab-org/gitlab!71436

Merge branch 'disable-auto-resolution-of-secret-detection-findings' into 'master'
Exclude secret_detection findings from autoresolution See merge request gitlab-org/gitlab!71436
50cf5e41 · Sean McGivern · 300afbcb · 231545fd · 50cf5e41 · 50cf5e41
Commit 50cf5e41 authored Sep 30, 2021 by Sean McGivern
5 changed files
--- a/app/models/concerns/vulnerability_finding_helpers.rb
+++ b/app/models/concerns/vulnerability_finding_helpers.rb
@@ -2,6 +2,15 @@
 module VulnerabilityFindingHelpers
  extend ActiveSupport::Concern
+  # Manually resolvable report types cannot be considered fixed once removed from the
+  # target branch due to requiring active triage, such as rotation of an exposed token.
+  REPORT_TYPES_REQUIRING_MANUAL_RESOLUTION = %w[secret_detection].freeze
+  def requires_manual_resolution?
+    REPORT_TYPES_REQUIRING_MANUAL_RESOLUTION.include?(report_type)
+  end
  def matches_signatures(other_signatures, other_uuid)
    other_signature_types = other_signatures.index_by(&:algorithm_type)

--- a/ee/app/services/security/store_report_service.rb
+++ b/ee/app/services/security/store_report_service.rb
@@ -73,6 +73,8 @@ module Security
    end
    def mark_as_resolved_except(vulnerability_ids)
+      return if ::Vulnerabilities::Finding::REPORT_TYPES_REQUIRING_MANUAL_RESOLUTION.include?(report.type)
      project.vulnerabilities
             .with_report_types(report.type)
             .id_not_in(vulnerability_ids)

--- a/ee/spec/services/security/store_report_service_spec.rb
+++ b/ee/spec/services/security/store_report_service_spec.rb
@@ -477,6 +477,15 @@ RSpec.describe Security::StoreReportService, '#execute', :snowplow do
        end
      end
+      context 'when the existing vulnerability requires manual resolution' do
+        let(:trait) { :secret_detection }
+        let!(:finding) { create(:vulnerabilities_finding, :with_secret_detection, project: project, pipelines: [pipeline]) }
+        it 'wont mark the vulnerability as resolved on default branch' do
+          expect { subject }.not_to change { finding.vulnerability.reload.resolved_on_default_branch }
+        end
+      end
      context 'when the existing resolved vulnerability is discovered again on the latest report' do
        before do
          vulnerability.update_column(:resolved_on_default_branch, true)

--- a/lib/gitlab/ci/reports/security/vulnerability_reports_comparer.rb
+++ b/lib/gitlab/ci/reports/security/vulnerability_reports_comparer.rb
@@ -80,6 +80,8 @@ module Gitlab
            matcher = FindingMatcher.new(head_findings)
            base_findings.each do |base_finding|
+              next if base_finding.requires_manual_resolution?
              matched_head_finding = matcher.find_and_remove_match!(base_finding)
              @fixed_findings << base_finding if matched_head_finding.nil?

--- a/spec/models/concerns/vulnerability_finding_helpers_spec.rb
+++ b/spec/models/concerns/vulnerability_finding_helpers_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+RSpec.describe VulnerabilityFindingHelpers do
+  let(:cls) do
+    Class.new do
+      include VulnerabilityFindingHelpers
+      attr_accessor :report_type
+      def initialize(report_type)
+        @report_type = report_type
+      end
+    end
+  end
+  describe '#requires_manual_resolution?' do
+    it 'returns false if the finding does not require manual resolution' do
+      expect(cls.new('sast').requires_manual_resolution?).to eq(false)
+    end
+    it 'returns true when the finding requires manual resolution' do
+      expect(cls.new('secret_detection').requires_manual_resolution?).to eq(true)
+    end
+  end
+end