Store new location fingerprint for CS vulnerabilities

Store new location for CS vulnerabilities
Update existing CS vulnerability locations

ee/app/services/security/store_report_service.rb

@@ -69,10 +69,14 @@ module Security
       }
 
       begin
-        project
-          .vulnerability_findings
-          .create_with(create_params)
-          .find_or_create_by!(find_params)
+        if finding.location.respond_to?(:new_fingerprint)
+          create_or_update_vulnerability_finding(finding, create_params, find_params)
+        else
+          project
+            .vulnerability_findings
+            .create_with(create_params)
+            .find_or_create_by!(find_params)
+        end
       rescue ActiveRecord::RecordNotUnique
         project.vulnerability_findings.find_by!(find_params)
       rescue ActiveRecord::RecordInvalid => e
@@ -80,6 +84,25 @@ module Security
       end
     end
 
+    # temporary, once existing data has updated it will be removed
+    # https://gitlab.com/gitlab-org/gitlab/-/issues/229594
+    def create_or_update_vulnerability_finding(finding, create_params, find_params)
+      existing_findings = project.vulnerability_findings
+      new_fingerprint = finding.location.new_fingerprint
+
+      new_find_params = find_params.merge(location_fingerprint: new_fingerprint)
+      finding = existing_findings.where(find_params)
+                                 .or(existing_findings.where(new_find_params)).first
+
+      if !finding.blank? && finding.location_fingerprint != new_fingerprint
+        finding.update_column(:location_fingerprint, new_fingerprint)
+      elsif finding.nil?
+        finding = existing_findings.create!(create_params.merge(new_find_params))
+      end
+
+      finding
+    end
+
     def update_vulnerability_scanner(finding)
       scanner = scanners_objects[finding.scanner.key]
       scanner.update!(finding.scanner.to_hash)

ee/changelogs/unreleased/use-new-fingerprint-store-service.yml

+---
+title: Store/Update new location fingerprint for container scanning vulnerabilities
+merge_request: 39696
+author:
+type: other

ee/spec/services/security/store_report_service_spec.rb

@@ -55,6 +55,33 @@ RSpec.describe Security::StoreReportService, '#execute' do
       end
     end
 
+    context 'with container scanning vulnerabilities' do
+      let(:artifact) { create(:ee_ci_job_artifact, :container_scanning) }
+      let(:project) { artifact.project }
+      let(:pipeline) { artifact.job.pipeline }
+      let(:report) { pipeline.security_reports.get_report('container_scanning', artifact) }
+
+      it 'saves with new location' do
+        new_locations = report.findings.map(&:location).map(&:new_fingerprint)
+        expect(subject).to eq({ status: :success })
+        saved_locations = Vulnerabilities::Finding.all.map(&:location_fingerprint)
+        expect(new_locations).to match_array(saved_locations)
+      end
+
+      it 'updates existing location' do
+        allow_any_instance_of(described_class).to receive(:executed?).and_return(false)
+        expect(subject).to eq({ status: :success })
+
+        old_fingerprint = report.findings.first.location.fingerprint
+        new_fingerprint = report.findings.first.location.new_fingerprint
+        Vulnerabilities::Finding.first.update_column(:location_fingerprint, old_fingerprint)
+
+        described_class.new(pipeline, report).execute
+
+        expect(Vulnerabilities::Finding.first.location_fingerprint).to eq(new_fingerprint)
+      end
+    end
+
     context 'invalid data' do
       let(:artifact) { create(:ee_ci_job_artifact, :sast) }
       let(:finding_without_name) { build(:ci_reports_security_finding, name: nil) }