Merge branch 'cleanup-sast-fixtures' into 'master'

chore: Cleanup SAST report fixtures See merge request gitlab-org/gitlab!57875

Merge branch 'cleanup-sast-fixtures' into 'master'
chore: Cleanup SAST report fixtures See merge request gitlab-org/gitlab!57875
6940fec3 · Douglas Barbosa Alexandre · 7335c312 · 9c880db3 · 6940fec3 · 6940fec3
Commit 6940fec3 authored Apr 06, 2021 by Douglas Barbosa Alexandre
15 changed files
--- a/ee/spec/finders/security/findings_finder_spec.rb
+++ b/ee/spec/finders/security/findings_finder_spec.rb
@@ -112,13 +112,13 @@ RSpec.describe Security::FindingsFinder do
        subject { finder_result.total_pages }
        context 'when the per_page is not provided' do
-          it { is_expected.to be(2) }
+          it { is_expected.to be(1) }
        end
        context 'when the per_page is provided' do
-          let(:per_page) { 100 }
+          let(:per_page) { 3 }
-          it { is_expected.to be(1) }
+          it { is_expected.to be(3) }
        end
      end
@@ -126,13 +126,13 @@ RSpec.describe Security::FindingsFinder do
        subject { finder_result.total_count }
        context 'when the scope is not provided' do
-          it { is_expected.to be(35) }
+          it { is_expected.to be(8) }
        end
        context 'when the scope is provided as `all`' do
          let(:scope) { 'all' }
-          it { is_expected.to be(36) }
+          it { is_expected.to be(8) }
        end
      end
@@ -140,6 +140,9 @@ RSpec.describe Security::FindingsFinder do
        subject { finder_result.next_page }
        context 'when the page is not provided' do
+          # Limit per_page to force pagination on smaller dataset
+          let(:per_page) { 2 }
          it { is_expected.to be(2) }
        end
@@ -159,6 +162,8 @@ RSpec.describe Security::FindingsFinder do
        context 'when the page is provided' do
          let(:page) { 2 }
+          # Limit per_page to force pagination on smaller dataset
+          let(:per_page) { 2 }
          it { is_expected.to be(1) }
        end
@@ -172,24 +177,12 @@ RSpec.describe Security::FindingsFinder do
            %w[
              4ae096451135db224b9e16818baaca8096896522
              0bfcfbb70b15a7cecef9a1ea39df15ecfd88949f
-              117590fc6b3841014366f335f494d1aa36ce7b46
+              157f362acf654c60e224400f59a088e1c01b369f
-              8fac98c156431a8bdb7a69a935cc564c314ab776
-              95566733fc91301623055363a77124410592af7e
-              0314c9673160662292cfab1af6dc5c880fb73717
-              4e44f4045e2a27d147d08895acf8df502f440f96
-              b5f82291ed084fe134af5a9b90a8078ab802a6cc
-              98366a28fa80b23a1dafe2b36e239a04909495c4
              b9c0d1cdc7cb9c180ebb6981abbddc2df0172509
-              cefacf9f36c487d04f33c59f22e6c402bff5300a
+              baf3e36cda35331daed7a3e80155533d552844fa
-              d533c3a12403b6c6033a50b53f9c73f894a40fc6
+              3204893d5894c74aaee86ce5bc28427f9f14e512
-              92c7bdc63a9908bddbc5b66c95e93e99a1927879
+              98366a28fa80b23a1dafe2b36e239a04909495c4
-              dd482eab94e695ae85c1a883c4dbe4c74a7e6b2c
+              9a644ee1b89ac29d6175dc1170914f47b0531635
-              be6f6e4fb5bdfd8819e70d930b32798b38a361e0
-              f603dd8517800823df02a8f1e5621b56c00710d8
-              21b17b6ced16fe507dd5b71bca24f0515d04fb7e
-              f1dde46676cd2a8e48f0837e5dae77087419b09c
-              fec8863c5c1b4ed58eddf7722a9f1598af3aca70
-              e325e114daf41074d41d1ebe1869158c4f7594dc
            ]
          end
@@ -198,23 +191,12 @@ RSpec.describe Security::FindingsFinder do
        context 'when the page is provided' do
          let(:page) { 2 }
+          # Limit per_page to force pagination on smaller dataset
+          let(:per_page) { 2 }
          let(:expected_fingerprints) do
            %w[
-              51026f8933c463b316c5bc33adb462e4a6f6cff2
+              0bfcfbb70b15a7cecef9a1ea39df15ecfd88949f
-              45cb4c0323b0b4a1adcb66fa1d0684d53e15cc27
+              baf3e36cda35331daed7a3e80155533d552844fa
-              48f71ab14afcf0f497fb238dc4289294b93873b0
-              18fe6882cdac0f3eac7784a33c9daf20109010ce
-              2cae57e97785a8aef9ae4ed947093d6a908bcc52
-              857969b55ba97d5e1c06ab920b470b009c2f3274
-              e3b452f63d8979e6f3e4839c6ec14b62917758e4
-              63dfc168b8c01a446088c9b8cf68a7d4a2a0013b
-              7b0792ce8db4e2cb74083490e6a87176accea102
-              30ab265fb9e816976b740beb0557ca79e8653bb6
-              81a3b7c4885e64f9013ac904bf118a05bcb7732d
-              ecd3b645971fc2682f5cb23d938037c6f072207f
-              55c41a63d2c9c3ea243b9f9cd3254d68fbee2b6b
-              3204893d5894c74aaee86ce5bc28427f9f14e512
-              157f362acf654c60e224400f59a088e1c01b369f
            ]
          end
@@ -222,44 +204,10 @@ RSpec.describe Security::FindingsFinder do
        end
        context 'when the per_page is provided' do
-          let(:per_page) { 40 }
+          let(:per_page) { 1 }
          let(:expected_fingerprints) do
            %w[
-              3204893d5894c74aaee86ce5bc28427f9f14e512
-              157f362acf654c60e224400f59a088e1c01b369f
              4ae096451135db224b9e16818baaca8096896522
-              d533c3a12403b6c6033a50b53f9c73f894a40fc6
-              b9c0d1cdc7cb9c180ebb6981abbddc2df0172509
-              98366a28fa80b23a1dafe2b36e239a04909495c4
-              b5f82291ed084fe134af5a9b90a8078ab802a6cc
-              4e44f4045e2a27d147d08895acf8df502f440f96
-              8fac98c156431a8bdb7a69a935cc564c314ab776
-              95566733fc91301623055363a77124410592af7e
-              0314c9673160662292cfab1af6dc5c880fb73717
-              117590fc6b3841014366f335f494d1aa36ce7b46
-              0bfcfbb70b15a7cecef9a1ea39df15ecfd88949f
-              92c7bdc63a9908bddbc5b66c95e93e99a1927879
-              cefacf9f36c487d04f33c59f22e6c402bff5300a
-              dd482eab94e695ae85c1a883c4dbe4c74a7e6b2c
-              48f71ab14afcf0f497fb238dc4289294b93873b0
-              45cb4c0323b0b4a1adcb66fa1d0684d53e15cc27
-              e3b452f63d8979e6f3e4839c6ec14b62917758e4
-              857969b55ba97d5e1c06ab920b470b009c2f3274
-              63dfc168b8c01a446088c9b8cf68a7d4a2a0013b
-              7b0792ce8db4e2cb74083490e6a87176accea102
-              2cae57e97785a8aef9ae4ed947093d6a908bcc52
-              18fe6882cdac0f3eac7784a33c9daf20109010ce
-              e325e114daf41074d41d1ebe1869158c4f7594dc
-              51026f8933c463b316c5bc33adb462e4a6f6cff2
-              fec8863c5c1b4ed58eddf7722a9f1598af3aca70
-              f1dde46676cd2a8e48f0837e5dae77087419b09c
-              21b17b6ced16fe507dd5b71bca24f0515d04fb7e
-              be6f6e4fb5bdfd8819e70d930b32798b38a361e0
-              f603dd8517800823df02a8f1e5621b56c00710d8
-              30ab265fb9e816976b740beb0557ca79e8653bb6
-              81a3b7c4885e64f9013ac904bf118a05bcb7732d
-              55c41a63d2c9c3ea243b9f9cd3254d68fbee2b6b
-              ecd3b645971fc2682f5cb23d938037c6f072207f
            ]
          end
@@ -270,18 +218,10 @@ RSpec.describe Security::FindingsFinder do
          let(:severity_levels) { [:medium] }
          let(:expected_fingerprints) do
            %w[
-              b5f82291ed084fe134af5a9b90a8078ab802a6cc
-              4e44f4045e2a27d147d08895acf8df502f440f96
-              8fac98c156431a8bdb7a69a935cc564c314ab776
-              95566733fc91301623055363a77124410592af7e
-              0314c9673160662292cfab1af6dc5c880fb73717
-              117590fc6b3841014366f335f494d1aa36ce7b46
              0bfcfbb70b15a7cecef9a1ea39df15ecfd88949f
-              d533c3a12403b6c6033a50b53f9c73f894a40fc6
+              9a644ee1b89ac29d6175dc1170914f47b0531635
              b9c0d1cdc7cb9c180ebb6981abbddc2df0172509
-              98366a28fa80b23a1dafe2b36e239a04909495c4
+              baf3e36cda35331daed7a3e80155533d552844fa
-              92c7bdc63a9908bddbc5b66c95e93e99a1927879
-              cefacf9f36c487d04f33c59f22e6c402bff5300a
            ]
          end
@@ -292,10 +232,7 @@ RSpec.describe Security::FindingsFinder do
          let(:confidence_levels) { [:low] }
          let(:expected_fingerprints) do
            %w[
-              30ab265fb9e816976b740beb0557ca79e8653bb6
+              98366a28fa80b23a1dafe2b36e239a04909495c4
-              81a3b7c4885e64f9013ac904bf118a05bcb7732d
-              55c41a63d2c9c3ea243b9f9cd3254d68fbee2b6b
-              ecd3b645971fc2682f5cb23d938037c6f072207f
            ]
          end
@@ -321,25 +258,13 @@ RSpec.describe Security::FindingsFinder do
          let(:expected_fingerprints) do
            %w[
              4ae096451135db224b9e16818baaca8096896522
+              157f362acf654c60e224400f59a088e1c01b369f
+              baf3e36cda35331daed7a3e80155533d552844fa
              0bfcfbb70b15a7cecef9a1ea39df15ecfd88949f
-              117590fc6b3841014366f335f494d1aa36ce7b46
-              8fac98c156431a8bdb7a69a935cc564c314ab776
-              95566733fc91301623055363a77124410592af7e
-              0314c9673160662292cfab1af6dc5c880fb73717
-              4e44f4045e2a27d147d08895acf8df502f440f96
-              b5f82291ed084fe134af5a9b90a8078ab802a6cc
              98366a28fa80b23a1dafe2b36e239a04909495c4
              b9c0d1cdc7cb9c180ebb6981abbddc2df0172509
-              cefacf9f36c487d04f33c59f22e6c402bff5300a
+              3204893d5894c74aaee86ce5bc28427f9f14e512
-              d533c3a12403b6c6033a50b53f9c73f894a40fc6
+              9a644ee1b89ac29d6175dc1170914f47b0531635
-              92c7bdc63a9908bddbc5b66c95e93e99a1927879
-              dd482eab94e695ae85c1a883c4dbe4c74a7e6b2c
-              be6f6e4fb5bdfd8819e70d930b32798b38a361e0
-              f603dd8517800823df02a8f1e5621b56c00710d8
-              db759283b7fb13eae48a3f60db4c7506cdab8f26
-              21b17b6ced16fe507dd5b71bca24f0515d04fb7e
-              f1dde46676cd2a8e48f0837e5dae77087419b09c
-              fec8863c5c1b4ed58eddf7722a9f1598af3aca70
            ]
          end

--- a/ee/spec/finders/security/pipeline_vulnerabilities_finder_spec.rb
+++ b/ee/spec/finders/security/pipeline_vulnerabilities_finder_spec.rb
@@ -262,7 +262,7 @@ RSpec.describe Security::PipelineVulnerabilitiesFinder do
        subject { described_class.new(pipeline: pipeline).execute }
        it 'returns all vulnerabilities with all scanners available' do
-          expect(subject.findings.map(&:scanner).map(&:external_id).uniq).to match_array %w[bandit bundler_audit find_sec_bugs flawfinder gemnasium klar zaproxy]
+          expect(subject.findings.map(&:scanner).map(&:external_id).uniq).to match_array %w[bundler_audit find_sec_bugs gemnasium klar zaproxy]
        end
      end
@@ -277,11 +277,11 @@ RSpec.describe Security::PipelineVulnerabilitiesFinder do
    context 'by all filters' do
      context 'with found entity' do
-        let(:params) { { report_type: %w[sast dast container_scanning dependency_scanning], scanner: %w[bandit bundler_audit find_sec_bugs flawfinder gemnasium klar zaproxy], scope: 'all' } }
+        let(:params) { { report_type: %w[sast dast container_scanning dependency_scanning], scanner: %w[bundler_audit find_sec_bugs gemnasium klar zaproxy], scope: 'all' } }
        it 'filters by all params' do
          expect(subject.findings.count).to eq(cs_count + dast_count + ds_count + sast_count)
-          expect(subject.findings.map(&:scanner).map(&:external_id).uniq).to match_array %w[bandit bundler_audit find_sec_bugs flawfinder gemnasium klar zaproxy]
+          expect(subject.findings.map(&:scanner).map(&:external_id).uniq).to match_array %w[bundler_audit find_sec_bugs gemnasium klar zaproxy]
          expect(subject.findings.map(&:confidence).uniq).to match_array(%w[unknown low medium high])
          expect(subject.findings.map(&:severity).uniq).to match_array(%w[unknown low medium high critical info])
        end
@@ -326,7 +326,7 @@ RSpec.describe Security::PipelineVulnerabilitiesFinder do
      let(:confirmed_fingerprint) do
        Digest::SHA1.hexdigest(
-          'python/hardcoded/hardcoded-tmp.py:52865813c884a507be1f152d654245af34aba8a391626d01f1ab6d3f52ec8779:B108')
+          'groovy/src/main/java/com/gitlab/security_products/tests/App.groovy:29:CIPHER_INTEGRITY')
      end
      let(:resolved_fingerprint) do

--- a/ee/spec/fixtures/security_reports/feature-branch/gl-sast-report.json
+++ b/ee/spec/fixtures/security_reports/feature-branch/gl-sast-report.json
--- a/ee/spec/lib/gitlab/ci/parsers/security/sast_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/security/sast_spec.rb
@@ -11,9 +11,9 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Sast do
    let(:created_at) { 2.weeks.ago }
    context "when parsing valid reports" do
-      where(:report_format, :scanner_length) do
+      where(:report_format, :report_version, :scanner_length, :finding_length, :identifier_length, :file_path, :line) do
-        :sast               | 4
+        :sast               | '14.0.0' | 1 | 5  | 6  | 'groovy/src/main/java/com/gitlab/security_products/tests/App.groovy' | 47
-        :sast_deprecated    | 3
+        :sast_deprecated    | '1.2'    | 3 | 33 | 17 | 'python/hardcoded/hardcoded-tmp.py'                                  | 1
      end
      with_them do
@@ -25,8 +25,8 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Sast do
        end
        it "parses all identifiers and findings" do
-          expect(report.findings.length).to eq(33)
+          expect(report.findings.length).to eq(finding_length)
-          expect(report.identifiers.length).to eq(17)
+          expect(report.identifiers.length).to eq(identifier_length)
          expect(report.scanners.length).to eq(scanner_length)
        end
@@ -35,16 +35,14 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Sast do
          expect(location).to be_a(::Gitlab::Ci::Reports::Security::Locations::Sast)
          expect(location).to have_attributes(
-            file_path: 'python/hardcoded/hardcoded-tmp.py',
+            file_path: file_path,
-            start_line: 1,
+            end_line: line,
-            end_line: 1,
+            start_line: line
-            class_name: nil,
-            method_name: nil
          )
        end
        it "generates expected metadata_version" do
-          expect(report.findings.first.metadata_version).to eq('1.2')
+          expect(report.findings.first.metadata_version).to eq(report_version)
        end
      end
    end

--- a/ee/spec/models/ci/build_spec.rb
+++ b/ee/spec/models/ci/build_spec.rb
@@ -226,7 +226,7 @@ RSpec.describe Ci::Build do
        it 'parses blobs and add the results to the report' do
          subject
-          expect(security_reports.get_report('sast', artifact).findings.size).to eq(33)
+          expect(security_reports.get_report('sast', artifact).findings.size).to eq(5)
        end
        it 'adds the created date to the report' do
@@ -245,7 +245,7 @@ RSpec.describe Ci::Build do
        it 'parses blobs and adds the results to the reports' do
          subject
-          expect(security_reports.get_report('sast', sast_artifact).findings.size).to eq(33)
+          expect(security_reports.get_report('sast', sast_artifact).findings.size).to eq(5)
          expect(security_reports.get_report('dependency_scanning', ds_artifact).findings.size).to eq(4)
          expect(security_reports.get_report('container_scanning', cs_artifact).findings.size).to eq(8)
          expect(security_reports.get_report('dast', dast_artifact).findings.size).to eq(20)

--- a/ee/spec/models/ci/pipeline_spec.rb
+++ b/ee/spec/models/ci/pipeline_spec.rb
@@ -137,7 +137,7 @@ RSpec.describe Ci::Pipeline do
        expect(subject.reports.keys).to contain_exactly('sast', 'dependency_scanning', 'container_scanning')
        # for each of report categories, we have merged 2 reports with the same data (fixture)
-        expect(subject.get_report('sast', sast1_artifact).findings.size).to eq(33)
+        expect(subject.get_report('sast', sast1_artifact).findings.size).to eq(5)
        expect(subject.get_report('dependency_scanning', ds1_artifact).findings.size).to eq(4)
        expect(subject.get_report('container_scanning', cs1_artifact).findings.size).to eq(8)
      end
@@ -146,7 +146,7 @@ RSpec.describe Ci::Pipeline do
        let(:build_sast_1) { create(:ci_build, :retried, name: 'sast_1', pipeline: pipeline, project: project) }
        it 'does not take retried builds into account' do
-          expect(subject.get_report('sast', sast1_artifact).findings.size).to eq(33)
+          expect(subject.get_report('sast', sast1_artifact).findings.size).to eq(5)
          expect(subject.get_report('dependency_scanning', ds1_artifact).findings.size).to eq(4)
          expect(subject.get_report('container_scanning', cs1_artifact).findings.size).to eq(8)
        end

--- a/ee/spec/models/ee/ci/job_artifact_spec.rb
+++ b/ee/spec/models/ee/ci/job_artifact_spec.rb
@@ -227,7 +227,7 @@ RSpec.describe Ci::JobArtifact do
    subject(:findings_count) { security_report.findings.length }
-    it { is_expected.to be(33) }
+    it { is_expected.to be(5) }
    context 'for different types' do
      where(:file_type, :security_report?) do

--- a/ee/spec/requests/api/graphql/project/pipeline/security_report_finding_spec.rb
+++ b/ee/spec/requests/api/graphql/project/pipeline/security_report_finding_spec.rb
@@ -64,7 +64,7 @@ RSpec.describe 'Query.project(fullPath).pipeline(iid).securityReportFindings' do
      end
      it 'returns all the vulnerability findings' do
-        expect(security_report_findings.length).to eq(53)
+        expect(security_report_findings.length).to eq(25)
      end
      it 'returns all the queried fields', :aggregate_failures do

--- a/ee/spec/requests/api/graphql/project/pipeline/security_report_summary_spec.rb
+++ b/ee/spec/requests/api/graphql/project/pipeline/security_report_summary_spec.rb
@@ -78,7 +78,7 @@ RSpec.describe 'Query.project(fullPath).pipeline(iid).securityReportSummary' do
  it 'shows the vulnerabilitiesCount and scannedResourcesCount' do
    expect(security_report_summary.dig('dast', 'vulnerabilitiesCount')).to eq(20)
    expect(security_report_summary.dig('dast', 'scannedResourcesCount')).to eq(26)
-    expect(security_report_summary.dig('sast', 'vulnerabilitiesCount')).to eq(33)
+    expect(security_report_summary.dig('sast', 'vulnerabilitiesCount')).to eq(5)
  end
  it 'shows the first 20 scanned resources' do

--- a/ee/spec/services/ci/compare_security_reports_service_spec.rb
+++ b/ee/spec/services/ci/compare_security_reports_service_spec.rb
@@ -197,7 +197,7 @@ RSpec.describe Ci::CompareSecurityReportsService do
      it 'reports new vulnerabilities' do
        expect(subject[:status]).to eq(:parsed)
-        expect(subject[:data]['added'].count).to eq(33)
+        expect(subject[:data]['added'].count).to eq(5)
        expect(subject[:data]['fixed'].count).to eq(0)
      end
    end
@@ -218,13 +218,13 @@ RSpec.describe Ci::CompareSecurityReportsService do
      it 'reports new vulnerability' do
        expect(subject[:data]['added'].count).to eq(1)
-        expect(subject[:data]['added'].first['identifiers']).to include(a_hash_including('name' => 'CWE-120'))
+        expect(subject[:data]['added'].first['identifiers']).to include(a_hash_including('name' => 'CWE-327'))
      end
      it 'reports fixed sast vulnerabilities' do
-        expect(subject[:data]['fixed'].count).to eq(4)
+        expect(subject[:data]['fixed'].count).to eq(1)
        compare_keys = collect_ids(subject[:data]['fixed'])
-        expected_keys = %w(char fopen strcpy char)
+        expected_keys = %w(CIPHER_INTEGRITY)
        expect(compare_keys - expected_keys).to eq([])
      end
    end

--- a/ee/spec/services/security/report_summary_service_spec.rb
+++ b/ee/spec/services/security/report_summary_service_spec.rb
@@ -129,7 +129,7 @@ RSpec.describe Security::ReportSummaryService, '#execute' do
    it 'returns the vulnerability count' do
      expect(result).to match(a_hash_including(
                                dast: a_hash_including(vulnerabilities_count: 20),
-                                sast: a_hash_including(vulnerabilities_count: 33),
+                                sast: a_hash_including(vulnerabilities_count: 5),
                                container_scanning: a_hash_including(vulnerabilities_count: 8),
                                dependency_scanning: a_hash_including(vulnerabilities_count: 4)
                              ))

--- a/ee/spec/services/security/store_report_service_spec.rb
+++ b/ee/spec/services/security/store_report_service_spec.rb
@@ -31,7 +31,7 @@ RSpec.describe Security::StoreReportService, '#execute' do
    using RSpec::Parameterized::TableSyntax
    where(:case_name, :trait, :scanners, :identifiers, :findings, :finding_identifiers, :finding_pipelines, :remediations, :fingerprints) do
-      'with SAST report'                | :sast                            | 3 | 17 | 33 | 39 | 33 | 0 | 2
+      'with SAST report'                | :sast                            | 1 | 6  | 5  | 7  | 5  | 0 | 2
      'with exceeding identifiers'      | :with_exceeding_identifiers      | 1 | 20 | 1  | 20 | 1  | 0 | 0
      'with Dependency Scanning report' | :dependency_scanning_remediation | 1 | 3  | 2  | 3  | 2  | 1 | 0
      'with Container Scanning report'  | :container_scanning              | 1 | 8  | 8  | 8  | 8  | 0 | 0
@@ -113,9 +113,13 @@ RSpec.describe Security::StoreReportService, '#execute' do
  end
  context 'with existing data from previous pipeline' do
-    let(:scanner) { build(:vulnerabilities_scanner, project: project, external_id: 'bandit', name: 'Bandit') }
+    let(:finding_identifier_fingerprint) do
-    let(:identifier) { build(:vulnerabilities_identifier, project: project, fingerprint: 'e6dd15eda2137be0034977a85b300a94a4f243a3') }
+      build(:ci_reports_security_identifier, external_id: "CIPHER_INTEGRITY").fingerprint
-    let(:different_identifier) { build(:vulnerabilities_identifier, project: project, fingerprint: 'fa47ee81f079e5c38ea6edb700b44eaeb62f67ee') }
+    end
+    let(:scanner) { build(:vulnerabilities_scanner, project: project, external_id: 'find_sec_bugs', name: 'Find Security Bugs') }
+    let(:identifier) { build(:vulnerabilities_identifier, project: project, fingerprint: finding_identifier_fingerprint) }
+    let(:different_identifier) { build(:vulnerabilities_identifier, project: project) }
    let!(:new_artifact) { create(:ee_ci_job_artifact, :sast, job: new_build) }
    let(:new_build) { create(:ci_build, pipeline: new_pipeline) }
    let(:new_pipeline) { create(:ci_pipeline, project: project) }
@@ -129,6 +133,15 @@ RSpec.describe Security::StoreReportService, '#execute' do
    let(:trait) { :sast }
+    let(:finding_location_fingerprint) do
+      build(
+        :ci_reports_security_locations_sast,
+        file_path: "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
+        start_line: "29",
+        end_line: "29"
+      ).fingerprint
+    end
    let!(:finding) do
      create(:vulnerabilities_finding,
        pipelines: [pipeline],
@@ -136,8 +149,8 @@ RSpec.describe Security::StoreReportService, '#execute' do
        primary_identifier: identifier,
        scanner: scanner,
        project: project,
-        uuid: "80571acf-8660-4bc8-811a-1d8dec9ab6f4",
+        uuid: "e5388f40-18f5-566d-95c6-d64c6f46a00a",
-        location_fingerprint: 'd869ba3f0b3347eb2749135a437dc07c8ae0f420')
+        location_fingerprint: finding_location_fingerprint)
    end
    let!(:vulnerability) { create(:vulnerability, findings: [finding], project: project) }
@@ -180,30 +193,30 @@ RSpec.describe Security::StoreReportService, '#execute' do
      expect(finding.reload.uuid).to eq(desired_uuid)
    end
-    it 'inserts only new scanners and reuse existing ones' do
+    it 'reuses existing scanner' do
-      expect { subject }.to change { Vulnerabilities::Scanner.count }.by(2)
+      expect { subject }.not_to change { Vulnerabilities::Scanner.count }
    end
    it 'inserts only new identifiers and reuse existing ones' do
-      expect { subject }.to change { Vulnerabilities::Identifier.count }.by(16)
+      expect { subject }.to change { Vulnerabilities::Identifier.count }.by(5)
    end
    it 'inserts only new findings and reuse existing ones' do
-      expect { subject }.to change { Vulnerabilities::Finding.count }.by(32)
+      expect { subject }.to change { Vulnerabilities::Finding.count }.by(4)
    end
    it 'inserts all finding pipelines (join model) for this new pipeline' do
-      expect { subject }.to change { Vulnerabilities::FindingPipeline.where(pipeline: new_pipeline).count }.by(33)
+      expect { subject }.to change { Vulnerabilities::FindingPipeline.where(pipeline: new_pipeline).count }.by(5)
    end
    it 'inserts new vulnerabilities with data from findings from this new pipeline' do
-      expect { subject }.to change { Vulnerability.count }.by(32)
+      expect { subject }.to change { Vulnerability.count }.by(4)
    end
    it 'updates existing findings with new data' do
      subject
-      expect(finding.reload).to have_attributes(severity: 'medium', name: 'Probable insecure usage of temp file/directory.')
+      expect(finding.reload).to have_attributes(severity: 'medium', name: 'Cipher with no integrity')
    end
    it 'updates fingerprints to match new values' do
@@ -234,7 +247,7 @@ RSpec.describe Security::StoreReportService, '#execute' do
    it 'updates existing vulnerability with new data' do
      subject
-      expect(vulnerability.reload).to have_attributes(severity: 'medium', title: 'Probable insecure usage of temp file/directory.', title_html: 'Probable insecure usage of temp file/directory.')
+      expect(vulnerability.reload).to have_attributes(severity: 'medium', title: 'Cipher with no integrity', title_html: 'Cipher with no integrity')
    end
    context 'when the existing vulnerability is resolved with the latest report' do

--- a/ee/spec/services/security/store_scan_service_spec.rb
+++ b/ee/spec/services/security/store_scan_service_spec.rb
@@ -26,14 +26,27 @@ RSpec.describe Security::StoreScanService do
  describe '#execute' do
    let_it_be(:unique_finding_uuid) { artifact.security_report.findings[0].uuid }
-    let_it_be(:duplicate_finding_uuid) { artifact.security_report.findings[5].uuid }
+    let_it_be(:duplicate_finding_uuid) { artifact.security_report.findings[4].uuid }
+    let(:finding_location_fingerprint) do
+      build(
+        :ci_reports_security_locations_sast,
+        file_path: "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
+        start_line: "41",
+        end_line: "41"
+      ).fingerprint
+    end
+    let(:finding_identifier_fingerprint) do
+      build(:ci_reports_security_identifier, external_id: "PREDICTABLE_RANDOM").fingerprint
+    end
    let(:deduplicate) { false }
    let(:service_object) { described_class.new(artifact, known_keys, deduplicate) }
    let(:finding_key) do
      build(:ci_reports_security_finding_key,
-            location_fingerprint: 'd869ba3f0b3347eb2749135a437dc07c8ae0f420',
+            location_fingerprint: finding_location_fingerprint,
-            identifier_fingerprint: 'e6dd15eda2137be0034977a85b300a94a4f243a3')
+            identifier_fingerprint: finding_identifier_fingerprint)
    end
    subject(:store_scan) { service_object.execute }

--- a/ee/spec/services/security/vulnerability_counting_service_spec.rb
+++ b/ee/spec/services/security/vulnerability_counting_service_spec.rb
@@ -64,7 +64,7 @@ RSpec.describe Security::VulnerabilityCountingService, '#execute' do
      end
      it {
-        is_expected.to match(a_hash_including("sast" => 33,
+        is_expected.to match(a_hash_including("sast" => 5,
                                              "dast" => 20,
                                              "container_scanning" => 8,
                                              "dependency_scanning" => 4))

--- a/spec/fixtures/security_reports/master/gl-sast-report.json
+++ b/spec/fixtures/security_reports/master/gl-sast-report.json