Skip to content

G
gitlab-ce
Commit 1656a6c6 authored by Mehmet Emin INAC's avatar Mehmet Emin INAC
Browse files
Options

Disable creating `security_findings` by default 

Create entries in `security_findings` table if the feature is enabled.
parent 8a75797e
Hide whitespace changes
Inline Side-by-side
Showing with 97 additions and 55 deletions
ee/app/services/security/store_scan_service.rb
View file @ 1656a6c6
...@@ -19,6 +19,8 @@ module Security ...@@ -19,6 +19,8 @@ module Security
end end
def execute def execute
return security_scan unless Feature.enabled?(:store_security_findings, project)
StoreFindingsMetadataService.execute(security_scan, security_report) StoreFindingsMetadataService.execute(security_scan, security_report)
deduplicate_findings? ? update_deduplicated_findings : register_finding_keys deduplicate_findings? ? update_deduplicated_findings : register_finding_keys
......
ee/config/feature_flags/development/store_security_findings.yml 0 → 100644
View file @ 1656a6c6
---
name: store_security_findings
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/44312
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/276011
milestone: '13.6'
type: development
group: group::threat insights
default_enabled: false
ee/spec/services/security/store_scan_service_spec.rb
View file @ 1656a6c6
...@@ -41,89 +41,121 @@ RSpec.describe Security::StoreScanService do ...@@ -41,89 +41,121 @@ RSpec.describe Security::StoreScanService do
known_keys.add(finding_key) known_keys.add(finding_key)
end end
it 'calls the `Security::StoreFindingsMetadataService` to store findings' do context 'when the `store_security_findings` feature is not enabled' do
store_scan before do
stub_feature_flags(store_security_findings: false)
end
expect(Security::StoreFindingsMetadataService).to have_received(:execute) it 'does not call the `Security::StoreFindingsMetadataService`' do
end store_scan
context 'when the security scan already exists for the artifact' do expect(Security::StoreFindingsMetadataService).not_to have_received(:execute)
let_it_be(:security_scan) { create(:security_scan, build: artifact.job, scan_type: :sast) }
let_it_be(:unique_security_finding) do
create(:security_finding,
scan: security_scan,
position: 0)
end end
let_it_be(:duplicated_security_finding) do context 'when the security scan already exists for the artifact' do
create(:security_finding, let_it_be(:security_scan) { create(:security_scan, build: artifact.job, scan_type: :sast) }
scan: security_scan,
position: 5)
end
it 'does not create a new security scan' do it 'does not create a new security scan' do
expect { store_scan }.not_to change { artifact.job.security_scans.count } expect { store_scan }.not_to change { artifact.job.security_scans.count }
end
end end
context 'when the `deduplicate` param is set as false' do context 'when the security scan does not exist for the artifact' do
it 'does not change the deduplicated flag of duplicated finding' do it 'creates a new security scan' do
expect { store_scan }.not_to change { duplicated_security_finding.reload.deduplicated }.from(false) expect { store_scan }.to change { artifact.job.security_scans.sast.count }.by(1)
end end
end
end
it 'does not change the deduplicated flag of unique finding' do context 'when the `store_security_findings` feature is enabled' do
expect { store_scan }.not_to change { unique_security_finding.reload.deduplicated }.from(false) before do
end stub_feature_flags(store_security_findings: true)
end end
context 'when the `deduplicate` param is set as true' do it 'calls the `Security::StoreFindingsMetadataService` to store findings' do
let(:deduplicate) { true } store_scan
expect(Security::StoreFindingsMetadataService).to have_received(:execute)
end
it 'does not change the deduplicated flag of duplicated finding false' do context 'when the security scan already exists for the artifact' do
expect { store_scan }.not_to change { duplicated_security_finding.reload.deduplicated }.from(false) let_it_be(:security_scan) { create(:security_scan, build: artifact.job, scan_type: :sast) }
let_it_be(:unique_security_finding) do
create(:security_finding,
scan: security_scan,
position: 0)
end end
it 'sets the deduplicated flag of unique finding as true' do let_it_be(:duplicated_security_finding) do
expect { store_scan }.to change { unique_security_finding.reload.deduplicated }.to(true) create(:security_finding,
scan: security_scan,
position: 5)
end end
end
end
context 'when the security scan does not exist for the artifact' do it 'does not create a new security scan' do
let(:unique_finding_attribute) do expect { store_scan }.not_to change { artifact.job.security_scans.count }
-> { Security::Finding.by_position(0).first&.deduplicated } end
end
let(:duplicated_finding_attribute) do context 'when the `deduplicate` param is set as false' do
-> { Security::Finding.by_position(5).first&.deduplicated } it 'does not change the deduplicated flag of duplicated finding' do
end expect { store_scan }.not_to change { duplicated_security_finding.reload.deduplicated }.from(false)
end
before do it 'does not change the deduplicated flag of unique finding' do
allow(Security::StoreFindingsMetadataService).to receive(:execute).and_call_original expect { store_scan }.not_to change { unique_security_finding.reload.deduplicated }.from(false)
end end
end
it 'creates a new security scan' do context 'when the `deduplicate` param is set as true' do
expect { store_scan }.to change { artifact.job.security_scans.sast.count }.by(1) let(:deduplicate) { true }
it 'does not change the deduplicated flag of duplicated finding false' do
expect { store_scan }.not_to change { duplicated_security_finding.reload.deduplicated }.from(false)
end
it 'sets the deduplicated flag of unique finding as true' do
expect { store_scan }.to change { unique_security_finding.reload.deduplicated }.to(true)
end
end
end end
context 'when the `deduplicate` param is set as false' do context 'when the security scan does not exist for the artifact' do
it 'sets the deduplicated flag of duplicated finding as false' do let(:unique_finding_attribute) do
expect { store_scan }.to change { duplicated_finding_attribute.call }.to(false) -> { Security::Finding.by_position(0).first&.deduplicated }
end end
it 'sets the deduplicated flag of unique finding as true' do let(:duplicated_finding_attribute) do
expect { store_scan }.to change { unique_finding_attribute.call }.to(true) -> { Security::Finding.by_position(5).first&.deduplicated }
end end
end
context 'when the `deduplicate` param is set as true' do before do
let(:deduplicate) { true } allow(Security::StoreFindingsMetadataService).to receive(:execute).and_call_original
end
it 'sets the deduplicated flag of duplicated finding false' do it 'creates a new security scan' do
expect { store_scan }.to change { duplicated_finding_attribute.call }.to(false) expect { store_scan }.to change { artifact.job.security_scans.sast.count }.by(1)
end end
it 'sets the deduplicated flag of unique finding as true' do context 'when the `deduplicate` param is set as false' do
expect { store_scan }.to change { unique_finding_attribute.call }.to(true) it 'sets the deduplicated flag of duplicated finding as false' do
expect { store_scan }.to change { duplicated_finding_attribute.call }.to(false)
end
it 'sets the deduplicated flag of unique finding as true' do
expect { store_scan }.to change { unique_finding_attribute.call }.to(true)
end
end
context 'when the `deduplicate` param is set as true' do
let(:deduplicate) { true }
it 'sets the deduplicated flag of duplicated finding false' do
expect { store_scan }.to change { duplicated_finding_attribute.call }.to(false)
end
it 'sets the deduplicated flag of unique finding as true' do
expect { store_scan }.to change { unique_finding_attribute.call }.to(true)
end
end end
end end
end end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7