Commit d6f48795 authored by Toon Claes's avatar Toon Claes

Merge branch '325612_do_not_return_vulnerabilities_without_findings' into 'master'

Fix `Security::FindingsFinder` for multiple report artifacts

See merge request gitlab-org/gitlab!62643
parents 3d4ef6f1 ae8c9189
......@@ -96,10 +96,10 @@ module Security
def report_findings
@report_findings ||= begin
builds.each_with_object({}) do |build, memo|
report = build.job_artifacts.map(&:security_report).compact.first
next unless report
reports = build.job_artifacts.map(&:security_report).compact
next unless reports.present?
memo[build.id] = report.findings.group_by(&:uuid).transform_values(&:first)
memo[build.id] = reports.flat_map(&:findings).index_by(&:uuid)
end
end
end
......
......@@ -4,10 +4,10 @@ require 'spec_helper'
RSpec.describe Security::FindingsFinder do
let_it_be(:pipeline) { create(:ci_pipeline) }
let_it_be(:build_ds) { create(:ci_build, :success, name: 'dependency_scanning', pipeline: pipeline) }
let_it_be(:build_sast) { create(:ci_build, :success, name: 'sast', pipeline: pipeline) }
let_it_be(:artifact_ds) { create(:ee_ci_job_artifact, :dependency_scanning, job: build_ds) }
let_it_be(:artifact_sast) { create(:ee_ci_job_artifact, :sast, job: build_sast) }
let_it_be(:build_1) { create(:ci_build, :success, name: 'dependency_scanning', pipeline: pipeline) }
let_it_be(:build_2) { create(:ci_build, :success, name: 'sast', pipeline: pipeline) }
let_it_be(:artifact_ds) { create(:ee_ci_job_artifact, :dependency_scanning, job: build_1) }
let_it_be(:artifact_sast) { create(:ee_ci_job_artifact, :sast, job: build_2) }
let_it_be(:report_ds) { create(:ci_reports_security_report, pipeline: pipeline, type: :dependency_scanning) }
let_it_be(:report_sast) { create(:ci_reports_security_report, pipeline: pipeline, type: :sast) }
......@@ -270,6 +270,33 @@ RSpec.describe Security::FindingsFinder do
it { is_expected.to match_array(expected_fingerprints) }
end
context 'when a build has more than one security report artifacts' do
let(:report_types) { :secret_detection }
let(:secret_detection_report) { create(:ci_reports_security_report, pipeline: pipeline, type: :secret_detection) }
let(:expected_fingerprints) { secret_detection_report.findings.map(&:project_fingerprint) }
before do
scan = create(:security_scan, scan_type: :secret_detection, build: build_2)
artifact = create(:ee_ci_job_artifact, :secret_detection, job: build_2)
report_content = File.read(artifact.file.path)
Gitlab::Ci::Parsers::Security::SecretDetection.parse!(report_content, secret_detection_report)
secret_detection_report.findings.each_with_index do |finding, index|
create(:security_finding,
severity: finding.severity,
confidence: finding.confidence,
project_fingerprint: finding.project_fingerprint,
uuid: finding.uuid,
deduplicated: true,
position: index,
scan: scan)
end
end
it { is_expected.to match_array(expected_fingerprints) }
end
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment