Add reading of project_id and pipeline_id from security_scans

ee/app/models/ee/ci/pipeline.rb

@@ -17,7 +17,7 @@ module EE
 
         # Subscriptions to this pipeline
         has_many :downstream_bridges, class_name: '::Ci::Bridge', foreign_key: :upstream_pipeline_id
-        has_many :security_scans, class_name: 'Security::Scan', through: :builds
+        has_many :security_scans, class_name: 'Security::Scan', inverse_of: :pipeline
         has_many :security_findings, class_name: 'Security::Finding', through: :security_scans, source: :findings
 
         has_one :dast_profiles_pipeline, class_name: 'Dast::ProfilesPipeline', foreign_key: :ci_pipeline_id

ee/app/models/ee/project.rb

@@ -104,6 +104,8 @@ module EE
 
       has_one :security_orchestration_policy_configuration, class_name: 'Security::OrchestrationPolicyConfiguration', foreign_key: :project_id, inverse_of: :project
 
+      has_many :security_scans, class_name: 'Security::Scan', inverse_of: :project
+
       elastic_index_dependant_association :issues, on_change: :visibility_level
       elastic_index_dependant_association :merge_requests, on_change: :visibility_level
       elastic_index_dependant_association :notes, on_change: :visibility_level

ee/app/models/security/scan.rb

@@ -11,8 +11,8 @@ module Security
     validates :info, json_schema: { filename: 'security_scan_info', draft: 7 }
 
     belongs_to :build, class_name: 'Ci::Build'
-
-    has_one :pipeline, class_name: 'Ci::Pipeline', through: :build
+    belongs_to :project
+    belongs_to :pipeline, class_name: 'Ci::Pipeline'
 
     has_many :findings, inverse_of: :scan
 
@@ -33,14 +33,14 @@ module Security
       # The `category` enum on `vulnerability_feedback` table starts from 0 but the `scan_type` enum
       # on `security_scans` from 1. For this reason, we have to decrease the value of `scan_type` by one
       # to match with category values on `vulnerability_feedback` table.
-      joins(build: { project: :vulnerability_feedback })
+      joins(project: :vulnerability_feedback)
         .where('vulnerability_feedback.category = (security_scans.scan_type - 1)')
         .merge(Vulnerabilities::Feedback.for_dismissal)
     end
 
     scope :latest_successful_by_build, -> { joins(:build).where(ci_builds: { status: 'success', retried: [nil, false] }) }
 
-    delegate :project, :name, to: :build
+    delegate :name, to: :build
 
     before_save :ensure_project_id_pipeline_id
 

ee/spec/factories/security_scans.rb

@@ -4,5 +4,7 @@ FactoryBot.define do
   factory :security_scan, class: 'Security::Scan' do
     scan_type { 'dast' }
     build factory: [:ci_build, :success]
+    pipeline { build.pipeline }
+    project { build.project }
   end
 end

ee/spec/models/ci/pipeline_spec.rb

@@ -13,7 +13,7 @@ RSpec.describe Ci::Pipeline do
   end
 
   describe 'associations' do
-    it { is_expected.to have_many(:security_scans).through(:builds).class_name('Security::Scan') }
+    it { is_expected.to have_many(:security_scans).class_name('Security::Scan') }
     it { is_expected.to have_many(:security_findings).through(:security_scans).class_name('Security::Finding').source(:findings) }
     it { is_expected.to have_many(:downstream_bridges) }
     it { is_expected.to have_many(:vulnerability_findings).through(:vulnerabilities_finding_pipelines).class_name('Vulnerabilities::Finding') }

ee/spec/models/project_spec.rb

@@ -62,6 +62,8 @@ RSpec.describe Project do
     it { is_expected.to have_many(:incident_management_oncall_rotations).through(:incident_management_oncall_schedules).source(:rotations) }
     it { is_expected.to have_many(:incident_management_escalation_policies).class_name('IncidentManagement::EscalationPolicy') }
 
+    it { is_expected.to have_many(:security_scans) }
+
     include_examples 'ci_cd_settings delegation'
 
     describe '#merge_pipelines_enabled?' do

ee/spec/models/security/scan_spec.rb

@@ -5,7 +5,8 @@ require 'spec_helper'
 RSpec.describe Security::Scan do
   describe 'associations' do
     it { is_expected.to belong_to(:build) }
-    it { is_expected.to have_one(:pipeline).through(:build).class_name('Ci::Pipeline') }
+    it { is_expected.to belong_to(:project) }
+    it { is_expected.to belong_to(:pipeline) }
     it { is_expected.to have_many(:findings) }
   end
 
@@ -36,10 +37,6 @@ RSpec.describe Security::Scan do
     end
   end
 
-  describe '#project' do
-    it { is_expected.to delegate_method(:project).to(:build) }
-  end
-
   describe '#name' do
     it { is_expected.to delegate_method(:name).to(:build) }
   end
@@ -93,15 +90,17 @@ RSpec.describe Security::Scan do
   end
 
   describe '.has_dismissal_feedback' do
-    let(:scan_1) { create(:security_scan) }
-    let(:scan_2) { create(:security_scan) }
+    let(:project_1) { create(:project) }
+    let(:project_2) { create(:project) }
+    let(:scan_1) { create(:security_scan, project: project_1) }
+    let(:scan_2) { create(:security_scan, project: project_2) }
     let(:expected_scans) { [scan_1] }
 
     subject { described_class.has_dismissal_feedback }
 
     before do
-      create(:vulnerability_feedback, :dismissal, project: scan_1.project, category: scan_1.scan_type)
-      create(:vulnerability_feedback, :issue, project: scan_2.project, category: scan_2.scan_type)
+      create(:vulnerability_feedback, :dismissal, project: project_1, category: scan_1.scan_type)
+      create(:vulnerability_feedback, :issue, project: project_2, category: scan_2.scan_type)
     end
 
     it { is_expected.to match_array(expected_scans) }

spec/lib/gitlab/import_export/all_models.yml

@@ -591,6 +591,7 @@ project:
 - error_tracking_errors
 - error_tracking_client_keys
 - pending_builds
+- security_scans
 award_emoji:
 - awardable
 - user