Mark projects as vulnerable

ee/app/services/security/store_reports_service.rb

@@ -6,20 +6,35 @@ module Security
   class StoreReportsService < ::BaseService
     def initialize(pipeline)
       @pipeline = pipeline
+      @errors = []
     end
 
     def execute
-      errors = []
-      @pipeline.security_reports.reports.each do |report_type, report|
-        result = StoreReportService.new(@pipeline, report).execute
+      store_reports
+      mark_project_as_vulnerable
+
+      errors.any? ? error(full_errors) : success
+    end
+
+    private
+
+    attr_reader :pipeline, :errors
+
+    delegate :project, to: :pipeline, private: true
+
+    def store_reports
+      pipeline.security_reports.reports.each do |report_type, report|
+        result = StoreReportService.new(pipeline, report).execute
         errors << result[:message] if result[:status] == :error
       end
+    end
 
-      if errors.any?
-        error(errors.join(", "))
-      else
-        success
-      end
+    def mark_project_as_vulnerable
+      project.project_setting.update(has_vulnerabilities: true)
+    end
+
+    def full_errors
+      errors.join(", ")
     end
   end
 end

ee/spec/services/security/store_reports_service_spec.rb

@@ -33,6 +33,10 @@ RSpec.describe Security::StoreReportsService do
         subject
       end
 
+      it 'marks the project as vulnerable' do
+        expect { subject }.to change { project.project_setting.has_vulnerabilities }.from(false).to(true)
+      end
+
       context 'when StoreReportService returns an error for a report' do
         let(:reports) { Gitlab::Ci::Reports::Security::Reports.new(pipeline) }
         let(:sast_report) { reports.get_report('sast', sast_artifact) }

spec/lib/gitlab/import_export/safe_model_attributes.yml

@@ -683,6 +683,7 @@ ProjectCiCdSetting:
 ProjectSetting:
 - allow_merge_on_skipped_pipeline
 - has_confluence
+- has_vulnerabilities
 ProtectedEnvironment:
 - id
 - project_id