Move ee/lib/gitlab/ci/reports/security POROs to CE part2 [RUN AS-IF-FOSS]

12f892d7 · Cyrine Gamoudi · Tetiana Chupryna · 5c794438 · 12f892d7 · 12f892d7
Commit 12f892d7 authored Aug 02, 2021 by Cyrine Gamoudi Committed by Tetiana Chupryna Aug 02, 2021
59 changed files
--- a/app/models/concerns/vulnerability_finding_helpers.rb
+++ b/app/models/concerns/vulnerability_finding_helpers.rb
@@ -2,6 +2,35 @@
 module VulnerabilityFindingHelpers
  extend ActiveSupport::Concern
-end
+  def matches_signatures(other_signatures, other_uuid)
+    other_signature_types = other_signatures.index_by(&:algorithm_type)
+    # highest first
+    match_result = nil
+    signatures.sort_by(&:priority).reverse_each do |signature|
+      matching_other_signature = other_signature_types[signature.algorithm_type]
+      next if matching_other_signature.nil?
+      match_result = matching_other_signature == signature
+      break
+    end
-VulnerabilityFindingHelpers.prepend_mod_with('VulnerabilityFindingHelpers')
+    if match_result.nil?
+      [uuid, *signature_uuids].include?(other_uuid)
+    else
+      match_result
+    end
+  end
+  def signature_uuids
+    signatures.map do |signature|
+      hex_sha = signature.signature_hex
+      ::Security::VulnerabilityUUID.generate(
+        report_type: report_type,
+        location_fingerprint: hex_sha,
+        primary_identifier_fingerprint: primary_identifier&.fingerprint,
+        project_id: project_id
+      )
+    end
+  end
+end
--- a/app/models/concerns/vulnerability_finding_signature_helpers.rb
+++ b/app/models/concerns/vulnerability_finding_signature_helpers.rb
@@ -2,6 +2,30 @@
 module VulnerabilityFindingSignatureHelpers
  extend ActiveSupport::Concern
-end
+  # If the location object describes a physical location within a file
+  # (filename + line numbers), the 'location' algorithm_type should be used
+  # If the location object describes arbitrary data, then the 'hash'
+  # algorithm_type should be used.
+  ALGORITHM_TYPES = { hash: 1, location: 2, scope_offset: 3 }.with_indifferent_access.freeze
+  class_methods do
+    def priority(algorithm_type)
+      raise ArgumentError, "No priority for #{algorithm_type.inspect}" unless ALGORITHM_TYPES.key?(algorithm_type)
+      ALGORITHM_TYPES[algorithm_type]
+    end
-VulnerabilityFindingSignatureHelpers.prepend_mod_with('VulnerabilityFindingSignatureHelpers')
+    def algorithm_types
+      ALGORITHM_TYPES
+    end
+  end
+  def priority
+    self.class.priority(algorithm_type)
+  end
+  def algorithm_types
+    self.class.algorithm_types
+  end
+end
--- a/ee/app/services/security/merge_reports_service.rb
+++ b/ee/app/services/security/merge_reports_service.rb
--- a/ee/app/models/concerns/ee/vulnerability_finding_helpers.rb
+++ b/ee/app/models/concerns/ee/vulnerability_finding_helpers.rb
-# frozen_string_literal: true
-module EE
-  module VulnerabilityFindingHelpers
-    extend ActiveSupport::Concern
-    def matches_signatures(other_signatures, other_uuid)
-      other_signature_types = other_signatures.index_by(&:algorithm_type)
-      # highest first
-      match_result = nil
-      signatures.sort_by(&:priority).reverse_each do |signature|
-        matching_other_signature = other_signature_types[signature.algorithm_type]
-        next if matching_other_signature.nil?
-        match_result = matching_other_signature == signature
-        break
-      end
-      if match_result.nil?
-        [uuid, *signature_uuids].include?(other_uuid)
-      else
-        match_result
-      end
-    end
-    def signature_uuids
-      signatures.map do |signature|
-        hex_sha = signature.signature_hex
-        ::Security::VulnerabilityUUID.generate(
-          report_type: report_type,
-          location_fingerprint: hex_sha,
-          primary_identifier_fingerprint: primary_identifier&.fingerprint,
-          project_id: project_id
-        )
-      end
-    end
-  end
-end
--- a/ee/app/models/concerns/ee/vulnerability_finding_signature_helpers.rb
+++ b/ee/app/models/concerns/ee/vulnerability_finding_signature_helpers.rb
-# frozen_string_literal: true
-module EE
-  module VulnerabilityFindingSignatureHelpers
-    extend ActiveSupport::Concern
-    # If the location object describes a physical location within a file
-    # (filename + line numbers), the 'location' algorithm_type should be used
-    #
-    # If the location object describes arbitrary data, then the 'hash'
-    # algorithm_type should be used.
-    PRIORITIES = {
-      scope_offset: 3,
-      location: 2,
-      hash: 1
-    }.with_indifferent_access.freeze
-    class_methods do
-      def priority(algorithm_type)
-        raise ArgumentError, "No priority for #{algorithm_type.inspect}" unless PRIORITIES.key?(algorithm_type)
-        PRIORITIES[algorithm_type]
-      end
-    end
-    def priority
-      self.class.priority(algorithm_type)
-    end
-  end
-end
--- a/ee/app/models/vulnerabilities/finding_signature.rb
+++ b/ee/app/models/vulnerabilities/finding_signature.rb
@@ -8,9 +8,7 @@ module Vulnerabilities
    include VulnerabilityFindingSignatureHelpers
    belongs_to :finding, foreign_key: 'finding_id', inverse_of: :signatures, class_name: 'Vulnerabilities::Finding'
+    enum algorithm_type: VulnerabilityFindingSignatureHelpers::ALGORITHM_TYPES, _prefix: :algorithm
-    enum algorithm_type: { hash: 1, location: 2, scope_offset: 3 }, _prefix: :algorithm
    validates :finding, presence: true
    def signature_hex

--- a/ee/lib/ee/gitlab/ci/parsers.rb
+++ b/ee/lib/ee/gitlab/ci/parsers.rb
@@ -14,10 +14,8 @@ module EE
                container_scanning: ::Gitlab::Ci::Parsers::Security::ContainerScanning,
                cluster_image_scanning: ::Gitlab::Ci::Parsers::Security::ContainerScanning,
                dast: ::Gitlab::Ci::Parsers::Security::Dast,
-                sast: ::Gitlab::Ci::Parsers::Security::Sast,
                api_fuzzing: ::Gitlab::Ci::Parsers::Security::Dast,
                coverage_fuzzing: ::Gitlab::Ci::Parsers::Security::CoverageFuzzing,
-                secret_detection: ::Gitlab::Ci::Parsers::Security::SecretDetection,
                metrics: ::Gitlab::Ci::Parsers::Metrics::Generic,
                requirements: ::Gitlab::Ci::Parsers::RequirementsManagement::Requirement
            })

--- a/ee/lib/ee/gitlab/ci/parsers/security/common.rb
+++ b/ee/lib/ee/gitlab/ci/parsers/security/common.rb
+# frozen_string_literal: true
+module EE
+  module Gitlab
+    module Ci
+      module Parsers
+        module Security
+          module Common
+            extend ::Gitlab::Utils::Override
+            private
+            # map remediations to relevant vulnerabilities
+            def collate_remediations
+              return report_data["vulnerabilities"] || [] unless report_data["remediations"]
+              report_data["vulnerabilities"].map do |vulnerability|
+                remediation = fixes[vulnerability['id']] || fixes[vulnerability['cve']]
+                vulnerability.merge("remediations" => [remediation])
+              end
+            end
+            def fixes
+              @fixes ||= report_data['remediations'].each_with_object({}) do |item, memo|
+                item['fixes'].each do |fix|
+                  id = fix['id'] || fix['cve']
+                  memo[id] = item if id
+                end
+                memo
+              end
+            end
+            def create_remediations(remediations_data)
+              remediations_data.to_a.compact.map do |remediation_data|
+                ::Gitlab::Ci::Reports::Security::Remediation.new(remediation_data['summary'], remediation_data['diff'])
+              end
+            end
+            override :create_vulnerabilities
+            def create_vulnerabilities
+              collate_remediations.each { |vulnerability| create_vulnerability(vulnerability, create_remediations(report_data['remediations'])) }
+            end
+          end
+        end
+      end
+    end
+  end
+end
--- a/ee/lib/ee/gitlab/ci/parsers/security/validators/schema_validator.rb
+++ b/ee/lib/ee/gitlab/ci/parsers/security/validators/schema_validator.rb
+# frozen_string_literal: true
+module EE
+  module Gitlab
+    module Ci
+      module Parsers
+        module Security
+          module Validators
+            module SchemaValidator
+              module Schema
+                extend ::Gitlab::Utils::Override
+                override :root_path
+                def root_path
+                  if [:sast, :secret_detection].include?(report_type)
+                    super
+                  else
+                    File.join(__dir__, 'schemas')
+                  end
+                end
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end
--- a/ee/lib/gitlab/ci/parsers/security/validators/schemas/cluster_image_scanning.json
+++ b/ee/lib/gitlab/ci/parsers/security/validators/schemas/cluster_image_scanning.json
--- a/ee/lib/gitlab/ci/parsers/security/validators/schemas/container_scanning.json
+++ b/ee/lib/gitlab/ci/parsers/security/validators/schemas/container_scanning.json
--- a/ee/lib/gitlab/ci/parsers/security/validators/schemas/coverage_fuzzing.json
+++ b/ee/lib/gitlab/ci/parsers/security/validators/schemas/coverage_fuzzing.json
--- a/ee/lib/gitlab/ci/parsers/security/validators/schemas/dast.json
+++ b/ee/lib/gitlab/ci/parsers/security/validators/schemas/dast.json
--- a/ee/lib/gitlab/ci/parsers/security/validators/schemas/dependency_scanning.json
+++ b/ee/lib/gitlab/ci/parsers/security/validators/schemas/dependency_scanning.json
--- a/ee/spec/factories/ci/job_artifacts.rb
+++ b/ee/spec/factories/ci/job_artifacts.rb
@@ -2,16 +2,6 @@
 FactoryBot.define do
  factory :ee_ci_job_artifact, class: '::Ci::JobArtifact', parent: :ci_job_artifact do
-    trait :sast do
-      file_type { :sast }
-      file_format { :raw }
-      after(:build) do |artifact, _|
-        artifact.file = fixture_file_upload(
-          Rails.root.join('spec/fixtures/security_reports/master/gl-sast-report.json'), 'application/json')
-      end
-    end
    trait :with_exceeding_identifiers do
      file_type { :sast }
      file_format { :raw }
@@ -22,16 +12,6 @@ FactoryBot.define do
      end
    end
-    trait :secret_detection do
-      file_type { :secret_detection }
-      file_format { :raw }
-      after(:build) do |artifact, _|
-        artifact.file = fixture_file_upload(
-          Rails.root.join('spec/fixtures/security_reports/master/gl-secret-detection-report.json'), 'application/json')
-      end
-    end
    trait :dast do
      file_format { :raw }
      file_type { :dast }
@@ -149,56 +129,6 @@ FactoryBot.define do
      end
    end
-    trait :sast_feature_branch do
-      file_format { :raw }
-      file_type { :sast }
-      after(:build) do |artifact, _|
-        artifact.file = fixture_file_upload(
-          Rails.root.join('ee/spec/fixtures/security_reports/feature-branch/gl-sast-report.json'), 'application/json')
-      end
-    end
-    trait :secret_detection_feature_branch do
-      file_format { :raw }
-      file_type { :secret_detection }
-      after(:build) do |artifact, _|
-        artifact.file = fixture_file_upload(
-          Rails.root.join('ee/spec/fixtures/security_reports/feature-branch/gl-secret-detection-report.json'), 'application/json')
-      end
-    end
-    trait :sast_deprecated do
-      file_type { :sast }
-      file_format { :raw }
-      after(:build) do |artifact, _|
-        artifact.file = fixture_file_upload(
-          Rails.root.join('ee/spec/fixtures/security_reports/deprecated/gl-sast-report.json'), 'application/json')
-      end
-    end
-    trait :sast_with_corrupted_data do
-      file_type { :sast }
-      file_format { :raw }
-      after(:build) do |artifact, _|
-        artifact.file = fixture_file_upload(
-          Rails.root.join('spec/fixtures/trace/sample_trace'), 'application/json')
-      end
-    end
-    trait :sast_with_missing_scanner do
-      file_type { :sast }
-      file_format { :raw }
-      after(:build) do |artifact, _|
-        artifact.file = fixture_file_upload(
-          Rails.root.join('ee/spec/fixtures/security_reports/master/gl-sast-missing-scanner.json'), 'application/json')
-      end
-    end
    trait :license_scanning do
      file_type { :license_scanning }
      file_format { :raw }
@@ -319,26 +249,6 @@ FactoryBot.define do
      end
    end
-    trait :common_security_report do
-      file_format { :raw }
-      file_type { :dependency_scanning }
-      after(:build) do |artifact, _|
-        artifact.file = fixture_file_upload(
-          Rails.root.join('ee/spec/fixtures/security_reports/master/gl-common-scanning-report.json'), 'application/json')
-      end
-    end
-    trait :common_security_report_with_blank_names do
-      file_format { :raw }
-      file_type { :dependency_scanning }
-      after(:build) do |artifact, _|
-        artifact.file = fixture_file_upload(
-          Rails.root.join('ee/spec/fixtures/security_reports/master/gl-common-scanning-report-names.json'), 'application/json')
-      end
-    end
    trait :container_scanning_feature_branch do
      file_format { :raw }
      file_type { :container_scanning }

--- a/ee/spec/lib/gitlab/ci/parsers/security/common_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/security/common_spec.rb
@@ -8,7 +8,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do
    with_them do
      let_it_be(:pipeline) { create(:ci_pipeline) }
-      let(:artifact) { build(:ee_ci_job_artifact, :common_security_report) }
+      let(:artifact) { build(:ci_job_artifact, :common_security_report) }
      let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, 2.weeks.ago) }
      let(:location) { ::Gitlab::Ci::Reports::Security::Locations::DependencyScanning.new(file_path: 'yarn/yarn.lock', package_version: 'v2', package_name: 'saml2') }
      let(:tracking_data) { nil }
@@ -94,7 +94,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do
      end
      describe 'parsing finding.name' do
-        let(:artifact) { build(:ee_ci_job_artifact, :common_security_report_with_blank_names) }
+        let(:artifact) { build(:ci_job_artifact, :common_security_report_with_blank_names) }
        context 'when message is provided' do
          it 'sets message from the report as a finding name' do

--- a/ee/spec/lib/gitlab/ci/parsers/security/validators/schema_validator_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/security/validators/schema_validator_spec.rb
@@ -11,8 +11,6 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do
    :coverage_fuzzing           | ['root is missing required keys: vulnerabilities']                   | { 'version' => '10.0.0', 'vulnerabilities' => [] }
    :dast                       | ['root is missing required keys: vulnerabilities']                   | { 'version' => '10.0.0', 'vulnerabilities' => [] }
    :dependency_scanning        | ['root is missing required keys: dependency_files, vulnerabilities'] | { 'version' => '10.0.0', 'vulnerabilities' => [], 'dependency_files' => [] }
-    :sast                       | ['root is missing required keys: vulnerabilities']                   | { 'version' => '10.0.0', 'vulnerabilities' => [] }
-    :secret_detection           | ['root is missing required keys: vulnerabilities']                   | { 'version' => '10.0.0', 'vulnerabilities' => [] }
  end
  with_them do

--- a/lib/gitlab/ci/parsers.rb
+++ b/lib/gitlab/ci/parsers.rb
@@ -11,7 +11,9 @@ module Gitlab
          cobertura: ::Gitlab::Ci::Parsers::Coverage::Cobertura,
          terraform: ::Gitlab::Ci::Parsers::Terraform::Tfplan,
          accessibility: ::Gitlab::Ci::Parsers::Accessibility::Pa11y,
-          codequality: ::Gitlab::Ci::Parsers::Codequality::CodeClimate
+          codequality: ::Gitlab::Ci::Parsers::Codequality::CodeClimate,
+          sast: ::Gitlab::Ci::Parsers::Security::Sast,
+          secret_detection: ::Gitlab::Ci::Parsers::Security::SecretDetection
        }
      end

--- a/ee/lib/gitlab/ci/parsers/security/common.rb
+++ b/ee/lib/gitlab/ci/parsers/security/common.rb
@@ -27,7 +27,8 @@ module Gitlab
            create_scan
            create_analyzer
            set_report_version
-            collate_remediations.each { |vulnerability| create_vulnerability(vulnerability) }
+            create_vulnerabilities
            report_data
          rescue JSON::ParserError
@@ -73,35 +74,20 @@ module Gitlab
            @analyzer_data ||= report_data.dig('scan', 'analyzer')
          end
-          # map remediations to relevant vulnerabilities
+          def tracking_data(data)
-          def collate_remediations
+            data['tracking']
-            return report_data["vulnerabilities"] || [] unless report_data["remediations"]
-            report_data["vulnerabilities"].map do |vulnerability|
-              remediation = fixes[vulnerability['id']] || fixes[vulnerability['cve']]
-              vulnerability.merge("remediations" => [remediation])
-            end
          end
-          def fixes
+          def create_vulnerabilities
-            @fixes ||= report_data['remediations'].each_with_object({}) do |item, memo|
+            if report_data["vulnerabilities"]
-              item['fixes'].each do |fix|
+              report_data["vulnerabilities"].each { |vulnerability| create_vulnerability(vulnerability) }
-                id = fix['id'] || fix['cve']
-                memo[id] = item if id
-              end
-              memo
-            end
            end
-          def tracking_data(data)
-            data['tracking']
          end
-          def create_vulnerability(data)
+          def create_vulnerability(data, remediations = [])
            identifiers = create_identifiers(data['identifiers'])
            links = create_links(data['links'])
            location = create_location(data['location'] || {})
-            remediations = create_remediations(data['remediations'])
            signatures = create_signatures(tracking_data(data))
            if @vulnerability_finding_signatures_enabled && !signatures.empty?
@@ -231,12 +217,6 @@ module Gitlab
            ::Gitlab::Ci::Reports::Security::Link.new(name: link['name'], url: link['url'])
          end
-          def create_remediations(remediations_data)
-            remediations_data.to_a.compact.map do |remediation_data|
-              ::Gitlab::Ci::Reports::Security::Remediation.new(remediation_data['summary'], remediation_data['diff'])
-            end
-          end
          def parse_severity_level(input)
            input&.downcase.then { |value| ::Enums::Vulnerability.severity_levels.key?(value) ? value : 'unknown' }
          end
@@ -282,3 +262,5 @@ module Gitlab
    end
  end
 end
+Gitlab::Ci::Parsers::Security::Common.prepend_mod_with("Gitlab::Ci::Parsers::Security::Common")
--- a/ee/lib/gitlab/ci/parsers/security/concerns/deprecated_syntax.rb
+++ b/ee/lib/gitlab/ci/parsers/security/concerns/deprecated_syntax.rb
--- a/ee/lib/gitlab/ci/parsers/security/sast.rb
+++ b/ee/lib/gitlab/ci/parsers/security/sast.rb
--- a/ee/lib/gitlab/ci/parsers/security/secret_detection.rb
+++ b/ee/lib/gitlab/ci/parsers/security/secret_detection.rb
--- a/ee/lib/gitlab/ci/parsers/security/validators/schema_validator.rb
+++ b/ee/lib/gitlab/ci/parsers/security/validators/schema_validator.rb
@@ -7,7 +7,9 @@ module Gitlab
        module Validators
          class SchemaValidator
            class Schema
-              ROOT_PATH = File.join(__dir__, 'schemas')
+              def root_path
+                File.join(__dir__, 'schemas')
+              end
              def initialize(report_type)
                @report_type = report_type
@@ -28,7 +30,7 @@ module Gitlab
              end
              def schema_path
-                File.join(ROOT_PATH, file_name)
+                File.join(root_path, file_name)
              end
              def file_name
@@ -62,3 +64,5 @@ module Gitlab
    end
  end
 end
+Gitlab::Ci::Parsers::Security::Validators::SchemaValidator::Schema.prepend_mod_with("Gitlab::Ci::Parsers::Security::Validators::SchemaValidator::Schema")
--- a/ee/lib/gitlab/ci/parsers/security/validators/schemas/sast.json
+++ b/ee/lib/gitlab/ci/parsers/security/validators/schemas/sast.json
--- a/ee/lib/gitlab/ci/parsers/security/validators/schemas/secret_detection.json
+++ b/ee/lib/gitlab/ci/parsers/security/validators/schemas/secret_detection.json
--- a/ee/lib/gitlab/ci/reports/security/aggregated_report.rb
+++ b/ee/lib/gitlab/ci/reports/security/aggregated_report.rb
--- a/ee/lib/gitlab/ci/reports/security/finding.rb
+++ b/ee/lib/gitlab/ci/reports/security/finding.rb
--- a/ee/lib/gitlab/ci/reports/security/finding_key.rb
+++ b/ee/lib/gitlab/ci/reports/security/finding_key.rb
--- a/ee/lib/gitlab/ci/reports/security/finding_signature.rb
+++ b/ee/lib/gitlab/ci/reports/security/finding_signature.rb
@@ -14,10 +14,6 @@ module Gitlab
            @signature_value = params.dig(:signature_value)
          end
-          def priority
-            ::Vulnerabilities::FindingSignature.priority(algorithm_type)
-          end
          def signature_sha
            Digest::SHA1.digest(signature_value)
          end
@@ -34,7 +30,7 @@ module Gitlab
          end
          def valid?
-            ::Vulnerabilities::FindingSignature.algorithm_types.key?(algorithm_type)
+            algorithm_types.key?(algorithm_type)
          end
          def eql?(other)

--- a/ee/lib/gitlab/ci/reports/security/locations/base.rb
+++ b/ee/lib/gitlab/ci/reports/security/locations/base.rb
--- a/ee/lib/gitlab/ci/reports/security/locations/sast.rb
+++ b/ee/lib/gitlab/ci/reports/security/locations/sast.rb
--- a/ee/lib/gitlab/ci/reports/security/locations/secret_detection.rb
+++ b/ee/lib/gitlab/ci/reports/security/locations/secret_detection.rb
--- a/ee/lib/gitlab/ci/reports/security/report.rb
+++ b/ee/lib/gitlab/ci/reports/security/report.rb
--- a/ee/lib/gitlab/ci/reports/security/reports.rb
+++ b/ee/lib/gitlab/ci/reports/security/reports.rb
--- a/spec/factories/ci/job_artifacts.rb
+++ b/spec/factories/ci/job_artifacts.rb
@@ -287,6 +287,76 @@ FactoryBot.define do
      end
    end
+    trait :common_security_report do
+      file_format { :raw }
+      file_type { :dependency_scanning }
+      after(:build) do |artifact, _|
+        artifact.file = fixture_file_upload(
+          Rails.root.join('spec/fixtures/security_reports/master/gl-common-scanning-report.json'), 'application/json')
+      end
+    end
+    trait :common_security_report_with_blank_names do
+      file_format { :raw }
+      file_type { :dependency_scanning }
+      after(:build) do |artifact, _|
+        artifact.file = fixture_file_upload(
+          Rails.root.join('spec/fixtures/security_reports/master/gl-common-scanning-report-names.json'), 'application/json')
+      end
+    end
+    trait :sast_deprecated do
+      file_type { :sast }
+      file_format { :raw }
+      after(:build) do |artifact, _|
+        artifact.file = fixture_file_upload(
+          Rails.root.join('spec/fixtures/security_reports/deprecated/gl-sast-report.json'), 'application/json')
+      end
+    end
+    trait :sast_with_corrupted_data do
+      file_type { :sast }
+      file_format { :raw }
+      after(:build) do |artifact, _|
+        artifact.file = fixture_file_upload(
+          Rails.root.join('spec/fixtures/trace/sample_trace'), 'application/json')
+      end
+    end
+    trait :sast_feature_branch do
+      file_format { :raw }
+      file_type { :sast }
+      after(:build) do |artifact, _|
+        artifact.file = fixture_file_upload(
+          Rails.root.join('spec/fixtures/security_reports/feature-branch/gl-sast-report.json'), 'application/json')
+      end
+    end
+    trait :secret_detection_feature_branch do
+      file_format { :raw }
+      file_type { :secret_detection }
+      after(:build) do |artifact, _|
+        artifact.file = fixture_file_upload(
+          Rails.root.join('spec/fixtures/security_reports/feature-branch/gl-secret-detection-report.json'), 'application/json')
+      end
+    end
+    trait :sast_with_missing_scanner do
+      file_type { :sast }
+      file_format { :raw }
+      after(:build) do |artifact, _|
+        artifact.file = fixture_file_upload(
+          Rails.root.join('spec/fixtures/security_reports/master/gl-sast-missing-scanner.json'), 'application/json')
+      end
+    end
    trait :secret_detection do
      file_type { :secret_detection }
      file_format { :raw }

--- a/ee/spec/factories/ci/reports/security/aggregated_reports.rb
+++ b/ee/spec/factories/ci/reports/security/aggregated_reports.rb
@@ -5,6 +5,8 @@ FactoryBot.define do
    reports { FactoryBot.build_list(:ci_reports_security_report, 1) }
    findings { FactoryBot.build_list(:ci_reports_security_finding, 1) }
+    skip_create
    initialize_with do
      ::Gitlab::Ci::Reports::Security::AggregatedReport.new(reports, findings)
    end

--- a/ee/spec/factories/ci/reports/security/finding_keys.rb
+++ b/ee/spec/factories/ci/reports/security/finding_keys.rb
--- a/ee/spec/factories/ci/reports/security/findings.rb
+++ b/ee/spec/factories/ci/reports/security/findings.rb
--- a/ee/spec/factories/ci/reports/security/locations/sast.rb
+++ b/ee/spec/factories/ci/reports/security/locations/sast.rb
--- a/ee/spec/factories/ci/reports/security/reports.rb
+++ b/ee/spec/factories/ci/reports/security/reports.rb
--- a/ee/spec/fixtures/security_reports/deprecated/gl-sast-report.json
+++ b/ee/spec/fixtures/security_reports/deprecated/gl-sast-report.json
--- a/ee/spec/fixtures/security_reports/feature-branch/gl-sast-report.json
+++ b/ee/spec/fixtures/security_reports/feature-branch/gl-sast-report.json
--- a/ee/spec/fixtures/security_reports/feature-branch/gl-secret-detection-report.json
+++ b/ee/spec/fixtures/security_reports/feature-branch/gl-secret-detection-report.json
--- a/ee/spec/fixtures/security_reports/master/gl-common-scanning-report-names.json
+++ b/ee/spec/fixtures/security_reports/master/gl-common-scanning-report-names.json
--- a/ee/spec/fixtures/security_reports/master/gl-common-scanning-report.json
+++ b/ee/spec/fixtures/security_reports/master/gl-common-scanning-report.json
--- a/ee/spec/fixtures/security_reports/master/gl-sast-missing-scanner.json
+++ b/ee/spec/fixtures/security_reports/master/gl-sast-missing-scanner.json
--- a/spec/lib/gitlab/ci/parsers/security/common_spec.rb
+++ b/spec/lib/gitlab/ci/parsers/security/common_spec.rb
+# frozen_string_literal: true
+# TODO remove duplication from spec/lib/gitlab/ci/parsers/security/common_spec.rb and spec/lib/gitlab/ci/parsers/security/common_spec.rb
+# See https://gitlab.com/gitlab-org/gitlab/-/issues/336589
+require 'spec_helper'
+RSpec.describe Gitlab::Ci::Parsers::Security::Common do
+  describe '#parse!' do
+    where(vulnerability_finding_signatures_enabled: [true, false])
+    with_them do
+      let_it_be(:pipeline) { create(:ci_pipeline) }
+      let(:artifact) { build(:ci_job_artifact, :common_security_report) }
+      let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, 2.weeks.ago) }
+      # The path 'yarn.lock' was initially used by DependencyScanning, it is okay for SAST locations to use it, but this could be made better
+      let(:location) { ::Gitlab::Ci::Reports::Security::Locations::Sast.new(file_path: 'yarn.lock', start_line: 1, end_line: 1) }
+      let(:tracking_data) { nil }
+      before do
+        allow_next_instance_of(described_class) do |parser|
+          allow(parser).to receive(:create_location).and_return(location)
+          allow(parser).to receive(:tracking_data).and_return(tracking_data)
+        end
+        artifact.each_blob { |blob| described_class.parse!(blob, report, vulnerability_finding_signatures_enabled) }
+      end
+      describe 'schema validation' do
+        let(:validator_class) { Gitlab::Ci::Parsers::Security::Validators::SchemaValidator }
+        let(:parser) { described_class.new('{}', report, vulnerability_finding_signatures_enabled, validate: validate) }
+        subject(:parse_report) { parser.parse! }
+        before do
+          allow(validator_class).to receive(:new).and_call_original
+        end
+        context 'when the validate flag is set as `false`' do
+          let(:validate) { false }
+          it 'does not run the validation logic' do
+            parse_report
+            expect(validator_class).not_to have_received(:new)
+          end
+        end
+        context 'when the validate flag is set as `true`' do
+          let(:validate) { true }
+          let(:valid?) { false }
+          before do
+            allow_next_instance_of(validator_class) do |instance|
+              allow(instance).to receive(:valid?).and_return(valid?)
+              allow(instance).to receive(:errors).and_return(['foo'])
+            end
+            allow(parser).to receive_messages(create_scanner: true, create_scan: true)
+          end
+          it 'instantiates the validator with correct params' do
+            parse_report
+            expect(validator_class).to have_received(:new).with(report.type, {})
+          end
+          context 'when the report data is not valid according to the schema' do
+            it 'adds errors to the report' do
+              expect { parse_report }.to change { report.errors }.from([]).to([{ message: 'foo', type: 'Schema' }])
+            end
+            it 'does not try to create report entities' do
+              parse_report
+              expect(parser).not_to have_received(:create_scanner)
+              expect(parser).not_to have_received(:create_scan)
+            end
+          end
+          context 'when the report data is valid according to the schema' do
+            let(:valid?) { true }
+            it 'does not add errors to the report' do
+              expect { parse_report }.not_to change { report.errors }.from([])
+            end
+            it 'keeps the execution flow as normal' do
+              parse_report
+              expect(parser).to have_received(:create_scanner)
+              expect(parser).to have_received(:create_scan)
+            end
+          end
+        end
+      end
+      describe 'parsing finding.name' do
+        let(:artifact) { build(:ci_job_artifact, :common_security_report_with_blank_names) }
+        context 'when message is provided' do
+          it 'sets message from the report as a finding name' do
+            vulnerability = report.findings.find { |x| x.compare_key == 'CVE-1020' }
+            expected_name = Gitlab::Json.parse(vulnerability.raw_metadata)['message']
+            expect(vulnerability.name).to eq(expected_name)
+          end
+        end
+        context 'when message is not provided' do
+          context 'and name is provided' do
+            it 'sets name from the report as a name' do
+              vulnerability = report.findings.find { |x| x.compare_key == 'CVE-1030' }
+              expected_name = Gitlab::Json.parse(vulnerability.raw_metadata)['name']
+              expect(vulnerability.name).to eq(expected_name)
+            end
+          end
+          context 'and name is not provided' do
+            context 'when CVE identifier exists' do
+              it 'combines identifier with location to create name' do
+                vulnerability = report.findings.find { |x| x.compare_key == 'CVE-2017-11429' }
+                expect(vulnerability.name).to eq("CVE-2017-11429 in yarn.lock")
+              end
+            end
+            context 'when CWE identifier exists' do
+              it 'combines identifier with location to create name' do
+                vulnerability = report.findings.find { |x| x.compare_key == 'CWE-2017-11429' }
+                expect(vulnerability.name).to eq("CWE-2017-11429 in yarn.lock")
+              end
+            end
+            context 'when neither CVE nor CWE identifier exist' do
+              it 'combines identifier with location to create name' do
+                vulnerability = report.findings.find { |x| x.compare_key == 'OTHER-2017-11429' }
+                expect(vulnerability.name).to eq("other-2017-11429 in yarn.lock")
+              end
+            end
+          end
+        end
+      end
+      describe 'parsing finding.details' do
+        context 'when details are provided' do
+          it 'sets details from the report' do
+            vulnerability = report.findings.find { |x| x.compare_key == 'CVE-1020' }
+            expected_details = Gitlab::Json.parse(vulnerability.raw_metadata)['details']
+            expect(vulnerability.details).to eq(expected_details)
+          end
+        end
+        context 'when details are not provided' do
+          it 'sets empty hash' do
+            vulnerability = report.findings.find { |x| x.compare_key == 'CVE-1030' }
+            expect(vulnerability.details).to eq({})
+          end
+        end
+      end
+      describe 'top-level scanner' do
+        it 'is the primary scanner' do
+          expect(report.primary_scanner.external_id).to eq('gemnasium')
+          expect(report.primary_scanner.name).to eq('Gemnasium')
+          expect(report.primary_scanner.vendor).to eq('GitLab')
+          expect(report.primary_scanner.version).to eq('2.18.0')
+        end
+        it 'returns nil report has no scanner' do
+          empty_report = Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, 2.weeks.ago)
+          described_class.parse!({}.to_json, empty_report)
+          expect(empty_report.primary_scanner).to be_nil
+        end
+      end
+      describe 'parsing scanners' do
+        subject(:scanner) { report.findings.first.scanner }
+        context 'when vendor is not missing in scanner' do
+          it 'returns scanner with parsed vendor value' do
+            expect(scanner.vendor).to eq('GitLab')
+          end
+        end
+      end
+      describe 'parsing scan' do
+        it 'returns scan object for each finding' do
+          scans = report.findings.map(&:scan)
+          expect(scans.map(&:status).all?('success')).to be(true)
+          expect(scans.map(&:start_time).all?('placeholder-value')).to be(true)
+          expect(scans.map(&:end_time).all?('placeholder-value')).to be(true)
+          expect(scans.size).to eq(3)
+          expect(scans.first).to be_a(::Gitlab::Ci::Reports::Security::Scan)
+        end
+        it 'returns nil when scan is not a hash' do
+          empty_report = Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, 2.weeks.ago)
+          described_class.parse!({}.to_json, empty_report)
+          expect(empty_report.scan).to be(nil)
+        end
+      end
+      describe 'parsing schema version' do
+        it 'parses the version' do
+          expect(report.version).to eq('14.0.2')
+        end
+        it 'returns nil when there is no version' do
+          empty_report = Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, 2.weeks.ago)
+          described_class.parse!({}.to_json, empty_report)
+          expect(empty_report.version).to be_nil
+        end
+      end
+      describe 'parsing analyzer' do
+        it 'associates analyzer with report' do
+          expect(report.analyzer.id).to eq('common-analyzer')
+          expect(report.analyzer.name).to eq('Common Analyzer')
+          expect(report.analyzer.version).to eq('2.0.1')
+          expect(report.analyzer.vendor).to eq('Common')
+        end
+        it 'returns nil when analyzer data is not available' do
+          empty_report = Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, 2.weeks.ago)
+          described_class.parse!({}.to_json, empty_report)
+          expect(empty_report.analyzer).to be_nil
+        end
+      end
+      describe 'parsing links' do
+        it 'returns links object for each finding', :aggregate_failures do
+          links = report.findings.flat_map(&:links)
+          expect(links.map(&:url)).to match_array(['https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1020', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1030'])
+          expect(links.map(&:name)).to match_array([nil, 'CVE-1030'])
+          expect(links.size).to eq(2)
+          expect(links.first).to be_a(::Gitlab::Ci::Reports::Security::Link)
+        end
+      end
+      describe 'setting the uuid' do
+        let(:finding_uuids) { report.findings.map(&:uuid) }
+        let(:uuid_1) do
+          Security::VulnerabilityUUID.generate(
+            report_type: "sast",
+            primary_identifier_fingerprint: report.findings[0].identifiers.first.fingerprint,
+            location_fingerprint: location.fingerprint,
+            project_id: pipeline.project_id
+          )
+        end
+        let(:uuid_2) do
+          Security::VulnerabilityUUID.generate(
+            report_type: "sast",
+            primary_identifier_fingerprint: report.findings[1].identifiers.first.fingerprint,
+            location_fingerprint: location.fingerprint,
+            project_id: pipeline.project_id
+          )
+        end
+        let(:expected_uuids) { [uuid_1, uuid_2, nil] }
+        it 'sets the UUIDv5 for findings', :aggregate_failures do
+          allow_next_instance_of(Gitlab::Ci::Reports::Security::Report) do |report|
+            allow(report).to receive(:type).and_return('sast')
+            expect(finding_uuids).to match_array(expected_uuids)
+          end
+        end
+      end
+      describe 'parsing tracking' do
+        let(:tracking_data) do
+          {
+            'type' => 'source',
+            'items' => [
+              'signatures' => [
+                { 'algorithm' => 'hash', 'value' => 'hash_value' },
+                { 'algorithm' => 'location', 'value' => 'location_value' },
+                { 'algorithm' => 'scope_offset', 'value' => 'scope_offset_value' }
+              ]
+            ]
+          }
+        end
+        context 'with valid tracking information' do
+          it 'creates signatures for each algorithm' do
+            finding = report.findings.first
+            expect(finding.signatures.size).to eq(3)
+            expect(finding.signatures.map(&:algorithm_type).to_set).to eq(Set['hash', 'location', 'scope_offset'])
+          end
+        end
+        context 'with invalid tracking information' do
+          let(:tracking_data) do
+            {
+              'type' => 'source',
+              'items' => [
+                'signatures' => [
+                  { 'algorithm' => 'hash', 'value' => 'hash_value' },
+                  { 'algorithm' => 'location', 'value' => 'location_value' },
+                  { 'algorithm' => 'INVALID', 'value' => 'scope_offset_value' }
+                ]
+              ]
+            }
+          end
+          it 'ignores invalid algorithm types' do
+            finding = report.findings.first
+            expect(finding.signatures.size).to eq(2)
+            expect(finding.signatures.map(&:algorithm_type).to_set).to eq(Set['hash', 'location'])
+          end
+        end
+        context 'with valid tracking information' do
+          it 'creates signatures for each signature algorithm' do
+            finding = report.findings.first
+            expect(finding.signatures.size).to eq(3)
+            expect(finding.signatures.map(&:algorithm_type)).to eq(%w[hash location scope_offset])
+            signatures = finding.signatures.index_by(&:algorithm_type)
+            expected_values = tracking_data['items'][0]['signatures'].index_by { |x| x['algorithm'] }
+            expect(signatures['hash'].signature_value).to eq(expected_values['hash']['value'])
+            expect(signatures['location'].signature_value).to eq(expected_values['location']['value'])
+            expect(signatures['scope_offset'].signature_value).to eq(expected_values['scope_offset']['value'])
+          end
+          it 'sets the uuid according to the higest priority signature' do
+            finding = report.findings.first
+            highest_signature = finding.signatures.max_by(&:priority)
+            identifiers = if vulnerability_finding_signatures_enabled
+                            "#{finding.report_type}-#{finding.primary_identifier.fingerprint}-#{highest_signature.signature_hex}-#{report.project_id}"
+                          else
+                            "#{finding.report_type}-#{finding.primary_identifier.fingerprint}-#{finding.location.fingerprint}-#{report.project_id}"
+                          end
+            expect(finding.uuid).to eq(Gitlab::UUID.v5(identifiers))
+          end
+        end
+      end
+    end
+  end
+end
--- a/ee/spec/lib/gitlab/ci/parsers/security/sast_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/security/sast_spec.rb
@@ -18,7 +18,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Sast do
      with_them do
        let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, created_at) }
-        let(:artifact) { create(:ee_ci_job_artifact, report_format) }
+        let(:artifact) { create(:ci_job_artifact, report_format) }
        before do
          artifact.each_blob { |blob| described_class.parse!(blob, report) }

--- a/ee/spec/lib/gitlab/ci/parsers/security/secret_detection_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/security/secret_detection_spec.rb
@@ -13,7 +13,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::SecretDetection do
      with_them do
        let(:report) { Gitlab::Ci::Reports::Security::Report.new(artifact.file_type, pipeline, created_at) }
-        let(:artifact) { create(:ee_ci_job_artifact, report_format) }
+        let(:artifact) { create(:ci_job_artifact, report_format) }
        before do
          artifact.each_blob { |blob| described_class.parse!(blob, report) }

--- a/spec/lib/gitlab/ci/parsers/security/validators/schema_validator_spec.rb
+++ b/spec/lib/gitlab/ci/parsers/security/validators/schema_validator_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do
+  using RSpec::Parameterized::TableSyntax
+  where(:report_type, :expected_errors, :valid_data) do
+    :sast | ['root is missing required keys: vulnerabilities'] | { 'version' => '10.0.0', 'vulnerabilities' => [] }
+    :secret_detection | ['root is missing required keys: vulnerabilities'] | { 'version' => '10.0.0', 'vulnerabilities' => [] }
+  end
+  with_them do
+    let(:validator) { described_class.new(report_type, report_data) }
+    describe '#valid?' do
+      subject { validator.valid? }
+      context 'when given data is invalid according to the schema' do
+        let(:report_data) { {} }
+        it { is_expected.to be_falsey }
+      end
+      context 'when given data is valid according to the schema' do
+        let(:report_data) { valid_data }
+        it { is_expected.to be_truthy }
+      end
+    end
+    describe '#errors' do
+      let(:report_data) { { 'version' => '10.0.0' } }
+      subject { validator.errors }
+      it { is_expected.to eq(expected_errors) }
+    end
+  end
+end
--- a/ee/spec/lib/gitlab/ci/reports/security/aggregated_report_spec.rb
+++ b/ee/spec/lib/gitlab/ci/reports/security/aggregated_report_spec.rb
--- a/ee/spec/lib/gitlab/ci/reports/security/finding_key_spec.rb
+++ b/ee/spec/lib/gitlab/ci/reports/security/finding_key_spec.rb
--- a/ee/spec/lib/gitlab/ci/reports/security/finding_signature_spec.rb
+++ b/ee/spec/lib/gitlab/ci/reports/security/finding_signature_spec.rb
--- a/ee/spec/lib/gitlab/ci/reports/security/locations/sast_spec.rb
+++ b/ee/spec/lib/gitlab/ci/reports/security/locations/sast_spec.rb
--- a/ee/spec/lib/gitlab/ci/reports/security/locations/secret_detection_spec.rb
+++ b/ee/spec/lib/gitlab/ci/reports/security/locations/secret_detection_spec.rb
--- a/ee/spec/lib/gitlab/ci/reports/security/report_spec.rb
+++ b/ee/spec/lib/gitlab/ci/reports/security/report_spec.rb
--- a/ee/spec/lib/gitlab/ci/reports/security/reports_spec.rb
+++ b/ee/spec/lib/gitlab/ci/reports/security/reports_spec.rb
@@ -4,7 +4,7 @@ require 'spec_helper'
 RSpec.describe Gitlab::Ci::Reports::Security::Reports do
  let_it_be(:pipeline) { create(:ci_pipeline) }
-  let_it_be(:artifact) { create(:ee_ci_job_artifact, :sast) }
+  let_it_be(:artifact) { create(:ci_job_artifact, :sast) }
  let(:security_reports) { described_class.new(pipeline) }

--- a/ee/spec/models/concerns/vulnerability_finding_signature_helpers_spec.rb
+++ b/ee/spec/models/concerns/vulnerability_finding_signature_helpers_spec.rb
--- a/ee/spec/support/shared_examples/lib/gitlab/ci/reports/security/locations/locations_shared_examples.rb
+++ b/ee/spec/support/shared_examples/lib/gitlab/ci/reports/security/locations/locations_shared_examples.rb