Merge branch 'use_latest_builds_for_security_findings_finder' into 'master'

Use latest builds for security findings finder

See merge request gitlab-org/gitlab!68266

ee/app/finders/security/findings_finder.rb

@@ -132,6 +132,7 @@ module Security
               .with_scanner
               .deduplicated
               .ordered
+              .latest
               .page(page)
               .per(per_page)
               .then(&method(:by_confidence_levels))

ee/app/models/security/finding.rb

@@ -34,6 +34,7 @@ module Security
                 .where('security_scans.id = security_findings.scan_id')
                 .where('vulnerability_feedback.project_fingerprint = security_findings.project_fingerprint'))
     end
+    scope :latest, -> { joins(:scan).merge(Security::Scan.latest_successful_by_build) }
     scope :ordered, -> { order(severity: :desc, confidence: :desc, id: :asc) }
     scope :with_pipeline_entities, -> { includes(build: [:job_artifacts, :pipeline]) }
     scope :with_scan, -> { includes(:scan) }

ee/spec/factories/security_scans.rb

@@ -3,6 +3,6 @@
 FactoryBot.define do
   factory :security_scan, class: 'Security::Scan' do
     scan_type { 'dast' }
-    build factory: :ci_build
+    build factory: [:ci_build, :success]
   end
 end

ee/spec/finders/security/findings_finder_spec.rb

@@ -304,6 +304,41 @@ RSpec.describe Security::FindingsFinder do
           it { is_expected.to match_array(expected_fingerprints) }
         end
 
+        context 'when there is a retried build' do
+          let(:retried_build) { create(:ci_build, :success, :retried, name: 'dependency_scanning', pipeline: pipeline) }
+          let(:artifact) { create(:ee_ci_job_artifact, :dependency_scanning, job: retried_build) }
+          let(:report) { create(:ci_reports_security_report, pipeline: pipeline, type: :dependency_scanning) }
+          let(:report_types) { :dependency_scanning }
+          let(:expected_fingerprints) do
+            %w[
+              3204893d5894c74aaee86ce5bc28427f9f14e512
+              157f362acf654c60e224400f59a088e1c01b369f
+              4ae096451135db224b9e16818baaca8096896522
+            ]
+          end
+
+          before do
+            retried_content = File.read(artifact.file.path)
+            Gitlab::Ci::Parsers::Security::DependencyScanning.parse!(retried_content, report)
+            report.merge!(report)
+
+            scan = create(:security_scan, scan_type: retried_build.name, build: retried_build)
+
+            report.findings.each_with_index do |finding, index|
+              create(:security_finding,
+                     severity: finding.severity,
+                     confidence: finding.confidence,
+                     project_fingerprint: finding.project_fingerprint,
+                     uuid: finding.uuid,
+                     deduplicated: true,
+                     position: index,
+                     scan: scan)
+            end
+          end
+
+          it { is_expected.to match_array(expected_fingerprints) }
+        end
+
         context 'when a build has more than one security report artifacts' do
           let(:report_types) { :secret_detection }
           let(:secret_detection_report) { create(:ci_reports_security_report, pipeline: pipeline, type: :secret_detection) }

ee/spec/models/security/finding_spec.rb

@@ -143,4 +143,16 @@ RSpec.describe Security::Finding do
       })
     }
   end
+
+  describe '.latest' do
+    subject { described_class.latest }
+
+    let(:expected_findings) { [finding_2] }
+
+    before do
+      finding_1.build.update!(retried: true)
+    end
+
+    it { is_expected.to eq(expected_findings) }
+  end
 end