Inject pipeline to security reports

Previously we were injecting only the commit sha to security reports but to be able to make some calculations with the persisted findings we will need the project information. Therefore, we are now injecting the pipeline object to reports instead of the commit sha.

Inject pipeline to security reports
Previously we were injecting only the commit sha to security reports but to be able to make some calculations with the persisted findings we will need the project information. Therefore, we are now injecting the pipeline object to reports instead of the commit sha.
53fafd62 · Mehmet Emin INAC · 9e404d35 · 53fafd62 · 53fafd62 · 53fafd62
Commit 53fafd62 authored Aug 04, 2020 by Mehmet Emin INAC
16 changed files
--- a/ee/app/models/ee/ci/pipeline.rb
+++ b/ee/app/models/ee/ci/pipeline.rb
@@ -102,7 +102,7 @@ module EE
      end
      def security_reports
-        ::Gitlab::Ci::Reports::Security::Reports.new(sha).tap do |security_reports|
+        ::Gitlab::Ci::Reports::Security::Reports.new(self).tap do |security_reports|
          builds.latest.with_reports(::Ci::JobArtifact.security_reports).each do |build|
            build.collect_security_reports!(security_reports)
          end

--- a/ee/app/services/security/merge_reports_service.rb
+++ b/ee/app/services/security/merge_reports_service.rb
@@ -31,7 +31,7 @@ module Security
      sort_by_ds_analyzers!
      @target_report = ::Gitlab::Ci::Reports::Security::Report.new(
        @source_reports.first.type,
-        @source_reports.first.commit_sha,
+        @source_reports.first.pipeline,
        @source_reports.first.created_at
      )
      @findings = []

--- a/ee/lib/gitlab/ci/reports/security/report.rb
+++ b/ee/lib/gitlab/ci/reports/security/report.rb
@@ -9,7 +9,7 @@ module Gitlab
          attr_reader :created_at
          attr_reader :type
-          attr_reader :commit_sha
+          attr_reader :pipeline
          attr_reader :findings
          attr_reader :scanners
          attr_reader :identifiers
@@ -17,9 +17,9 @@ module Gitlab
          attr_accessor :scanned_resources
          attr_accessor :error
-          def initialize(type, commit_sha, created_at)
+          def initialize(type, pipeline, created_at)
            @type = type
-            @commit_sha = commit_sha
+            @pipeline = pipeline
            @created_at = created_at
            @findings = []
            @scanners = {}
@@ -27,6 +27,10 @@ module Gitlab
            @scanned_resources = []
          end
+          def commit_sha
+            pipeline.sha
+          end
          def errored?
            error.present?
          end
@@ -44,7 +48,7 @@ module Gitlab
          end
          def clone_as_blank
-            Report.new(type, commit_sha, created_at)
+            Report.new(type, pipeline, created_at)
          end
          def replace_with!(other)

--- a/ee/lib/gitlab/ci/reports/security/reports.rb
+++ b/ee/lib/gitlab/ci/reports/security/reports.rb
@@ -5,17 +5,17 @@ module Gitlab
    module Reports
      module Security
        class Reports
-          attr_reader :reports, :commit_sha
+          attr_reader :reports, :pipeline
          delegate :empty?, to: :reports
-          def initialize(commit_sha)
+          def initialize(pipeline)
            @reports = {}
-            @commit_sha = commit_sha
+            @pipeline = pipeline
          end
          def get_report(report_type, report_artifact)
-            reports[report_type] ||= Report.new(report_type, commit_sha, report_artifact.created_at)
+            reports[report_type] ||= Report.new(report_type, pipeline, report_artifact.created_at)
          end
          def violates_default_policy?

--- a/ee/spec/factories/ci/reports/security/reports.rb
+++ b/ee/spec/factories/ci/reports/security/reports.rb
@@ -3,7 +3,7 @@
 FactoryBot.define do
  factory :ci_reports_security_report, class: '::Gitlab::Ci::Reports::Security::Report' do
    type { :sast }
-    commit_sha { Digest::SHA1.hexdigest(SecureRandom.hex) }
+    pipeline { build(:ci_pipeline) }
    created_at { 2.weeks.ago }
    scanned_resources { [] }
@@ -22,7 +22,7 @@ FactoryBot.define do
    skip_create
    initialize_with do
-      ::Gitlab::Ci::Reports::Security::Report.new(type, commit_sha, created_at)
+      ::Gitlab::Ci::Reports::Security::Report.new(type, pipeline, created_at)
    end
  end
 end
--- a/ee/spec/lib/gitlab/ci/parsers/security/common_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/security/common_spec.rb
@@ -4,8 +4,10 @@ require 'spec_helper'
 RSpec.describe Gitlab::Ci::Parsers::Security::Common do
  describe '#parse!' do
+    let_it_be(:pipeline) { create(:ci_pipeline) }
    let(:artifact) { build(:ee_ci_job_artifact, :dependency_scanning) }
-    let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, 'sha', 2.weeks.ago) }
+    let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, 2.weeks.ago) }
    let(:parser) { described_class.new }
    before do

--- a/ee/spec/lib/gitlab/ci/parsers/security/container_scanning_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/security/container_scanning_spec.rb
@@ -6,7 +6,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::ContainerScanning do
  let(:parser) { described_class.new }
  let(:project) { artifact.project }
  let(:pipeline) { artifact.job.pipeline }
-  let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline.sha, 2.weeks.ago) }
+  let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, 2.weeks.ago) }
  before do
    artifact.each_blob do |blob|

--- a/ee/spec/lib/gitlab/ci/parsers/security/coverage_fuzzing_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/security/coverage_fuzzing_spec.rb
@@ -5,7 +5,7 @@ require 'spec_helper'
 RSpec.describe Gitlab::Ci::Parsers::Security::CoverageFuzzing do
  let(:project) { artifact.project }
  let(:pipeline) { artifact.job.pipeline }
-  let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline.sha, 2.weeks.ago) }
+  let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, 2.weeks.ago) }
  let(:parser) { described_class.new }
  let(:artifact) { create(:ee_ci_job_artifact, :coverage_fuzzing) }

--- a/ee/spec/lib/gitlab/ci/parsers/security/dast_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/security/dast_spec.rb
@@ -9,7 +9,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Dast do
    let(:project) { artifact.project }
    let(:pipeline) { artifact.job.pipeline }
    let(:artifact) { create(:ee_ci_job_artifact, :dast) }
-    let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline.sha, 2.weeks.ago) }
+    let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, 2.weeks.ago) }
    let(:parser) { described_class.new }
    where(:report_format,

--- a/ee/spec/lib/gitlab/ci/parsers/security/dependency_scanning_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/security/dependency_scanning_spec.rb
@@ -9,7 +9,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::DependencyScanning do
    let(:project) { artifact.project }
    let(:pipeline) { artifact.job.pipeline }
    let(:artifact) { create(:ee_ci_job_artifact, :dependency_scanning) }
-    let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline.sha, 2.weeks.ago) }
+    let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, 2.weeks.ago) }
    let(:parser) { described_class.new }
    where(:report_format, :occurrence_count, :identifier_count, :scanner_count, :file_path, :package_name, :package_version, :version) do

--- a/ee/spec/lib/gitlab/ci/parsers/security/sast_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/security/sast_spec.rb
@@ -4,16 +4,17 @@ require 'spec_helper'
 RSpec.describe Gitlab::Ci::Parsers::Security::Sast do
  describe '#parse!' do
-    subject(:parser) { described_class.new }
+    let_it_be(:pipeline) { create(:ci_pipeline) }
-    let(:commit_sha) { "d8978e74745e18ce44d88814004d4255ac6a65bb" }
    let(:created_at) { 2.weeks.ago }
+    subject(:parser) { described_class.new }
    context "when parsing valid reports" do
      where(report_format: %i(sast sast_deprecated))
      with_them do
-        let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, commit_sha, created_at) }
+        let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, created_at) }
        let(:artifact) { create(:ee_ci_job_artifact, report_format) }
        before do
@@ -48,7 +49,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Sast do
    end
    context "when parsing an empty report" do
-      let(:report) { Gitlab::Ci::Reports::Security::Report.new('sast', commit_sha, created_at) }
+      let(:report) { Gitlab::Ci::Reports::Security::Report.new('sast', pipeline, created_at) }
      let(:blob) { Gitlab::Json.generate({}) }
      it { expect(parser.parse!(blob, report)).to be_empty }

--- a/ee/spec/lib/gitlab/ci/parsers/security/secret_detection_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/security/secret_detection_spec.rb
@@ -4,16 +4,17 @@ require 'spec_helper'
 RSpec.describe Gitlab::Ci::Parsers::Security::SecretDetection do
  describe '#parse!' do
-    subject(:parser) { described_class.new }
+    let_it_be(:pipeline) { create(:ci_pipeline) }
-    let(:commit_sha) { "d8978e74745e18ce44d88814004d4255ac6a65bb" }
    let(:created_at) { 2.weeks.ago }
+    subject(:parser) { described_class.new }
    context "when parsing valid reports" do
      where(report_format: %i(secret_detection))
      with_them do
-        let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, commit_sha, created_at) }
+        let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, created_at) }
        let(:artifact) { create(:ee_ci_job_artifact, report_format) }
        before do
@@ -48,7 +49,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::SecretDetection do
    end
    context "when parsing an empty report" do
-      let(:report) { Gitlab::Ci::Reports::Security::Report.new('secret_detection', commit_sha, created_at) }
+      let(:report) { Gitlab::Ci::Reports::Security::Report.new('secret_detection', pipeline, created_at) }
      let(:blob) { Gitlab::Json.generate({}) }
      it { expect(parser.parse!(blob, report)).to be_empty }

--- a/ee/spec/lib/gitlab/ci/reports/security/reports_spec.rb
+++ b/ee/spec/lib/gitlab/ci/reports/security/reports_spec.rb
@@ -3,9 +3,10 @@
 require 'spec_helper'
 RSpec.describe Gitlab::Ci::Reports::Security::Reports do
-  let(:commit_sha) { '20410773a37f49d599e5f0d45219b39304763538' }
+  let_it_be(:pipeline) { create(:ci_pipeline) }
-  let(:security_reports) { described_class.new(commit_sha) }
+  let_it_be(:artifact) { create(:ee_ci_job_artifact, :sast) }
-  let(:artifact) { create(:ee_ci_job_artifact, :sast) }
+  let(:security_reports) { described_class.new(pipeline) }
  describe '#get_report' do
    subject { security_reports.get_report(report_type, artifact) }
@@ -14,12 +15,11 @@ RSpec.describe Gitlab::Ci::Reports::Security::Reports do
      let(:report_type) { 'sast' }
      it { expect(subject.type).to eq('sast') }
-      it { expect(subject.commit_sha).to eq(commit_sha) }
      it { expect(subject.created_at).to eq(artifact.created_at) }
      it 'initializes a new report and returns it' do
        expect(Gitlab::Ci::Reports::Security::Report).to receive(:new)
-          .with('sast', commit_sha, artifact.created_at).and_call_original
+          .with('sast', pipeline, artifact.created_at).and_call_original
        is_expected.to be_a(Gitlab::Ci::Reports::Security::Report)
      end
@@ -39,7 +39,7 @@ RSpec.describe Gitlab::Ci::Reports::Security::Reports do
  end
  describe "#violates_default_policy?" do
-    subject { described_class.new(commit_sha) }
+    subject { described_class.new(pipeline) }
    let(:low_severity) { build(:ci_reports_security_finding, severity: 'low') }
    let(:high_severity) { build(:ci_reports_security_finding, severity: 'high') }

--- a/ee/spec/models/ci/build_spec.rb
+++ b/ee/spec/models/ci/build_spec.rb
@@ -157,7 +157,7 @@ RSpec.describe Ci::Build do
  end
  describe '#collect_security_reports!' do
-    let(:security_reports) { ::Gitlab::Ci::Reports::Security::Reports.new(pipeline.sha) }
+    let(:security_reports) { ::Gitlab::Ci::Reports::Security::Reports.new(pipeline) }
    subject { job.collect_security_reports!(security_reports) }

--- a/ee/spec/models/ci/pipeline_spec.rb
+++ b/ee/spec/models/ci/pipeline_spec.rb
@@ -146,12 +146,9 @@ RSpec.describe Ci::Pipeline do
      let!(:cs1_artifact) { create(:ee_ci_job_artifact, :container_scanning, job: build_cs_1, project: project) }
      let!(:cs2_artifact) { create(:ee_ci_job_artifact, :container_scanning, job: build_cs_2, project: project) }
-      before do
+      it 'assigns pipeline to the reports' do
-      end
+        expect(subject.pipeline).to eq(pipeline)
+        expect(subject.reports.values.map(&:pipeline).uniq).to contain_exactly(pipeline)
-      it 'assigns pipeline commit_sha to the reports' do
-        expect(subject.commit_sha).to eq(pipeline.sha)
-        expect(subject.reports.values.map(&:commit_sha).uniq).to contain_exactly(pipeline.sha)
      end
      it 'returns security reports with collected data grouped as expected' do

--- a/ee/spec/services/security/store_reports_service_spec.rb
+++ b/ee/spec/services/security/store_reports_service_spec.rb
@@ -34,7 +34,7 @@ RSpec.describe Security::StoreReportsService do
      end
      context 'when StoreReportService returns an error for a report' do
-        let(:reports) { Gitlab::Ci::Reports::Security::Reports.new(pipeline.sha) }
+        let(:reports) { Gitlab::Ci::Reports::Security::Reports.new(pipeline) }
        let(:sast_report) { reports.get_report('sast', sast_artifact) }
        let(:dast_report) { reports.get_report('dast', dast_artifact) }
        let(:success) { { status: :success } }