Copy dismissal information to vulnerability on creation

Finding can be dismissed via the "pipeline security tab" even before we create the vulnerability for it. For this reason, we need to sync the existing dismissal information while creating the vulnerability.

Copy dismissal information to vulnerability on creation
Finding can be dismissed via the "pipeline security tab" even before we create the vulnerability for it. For this reason, we need to sync the existing dismissal information while creating the vulnerability.
3260d46b · Mehmet Emin INAC · dabad744 · 3260d46b · 3260d46b · 3260d46b
Commit 3260d46b authored Oct 19, 2020 by Mehmet Emin INAC
3 changed files
--- a/ee/app/services/vulnerabilities/create_service.rb
+++ b/ee/app/services/vulnerabilities/create_service.rb
@@ -3,6 +3,7 @@
 module Vulnerabilities
  class CreateService
    include Gitlab::Allowable
+    include Gitlab::Utils::StrongMemoize

    def initialize(project, author, finding_id:)
      @project = project
@@ -16,9 +17,6 @@ module Vulnerabilities
      vulnerability = Vulnerability.new

      Vulnerabilities::Finding.transaction(requires_new: true) do
-        # we're using `lock` instead of `with_lock` to avoid extra call to `find` under the hood
-        finding = @project.vulnerability_findings.lock_for_confirmation!(@finding_id)
-
        save_vulnerability(vulnerability, finding)
        Statistics::UpdateService.update_for(vulnerability)
        HistoricalStatistics::UpdateService.update_for(@project)
@@ -42,9 +40,21 @@ module Vulnerabilities
        severity_overridden: false,
        confidence: finding.confidence,
        confidence_overridden: false,
-        report_type: finding.report_type
+        report_type: finding.report_type,
+        dismissed_at: existing_dismissal_feedback&.created_at,
+        dismissed_by_id: existing_dismissal_feedback&.author_id
      )
+
      vulnerability.save && vulnerability.findings << finding
    end
+
+    def existing_dismissal_feedback
+      strong_memoize(:existing_dismissal_feedback) { finding.dismissal_feedback }
+    end
+
+    def finding
+      # we're using `lock` instead of `with_lock` to avoid extra call to `find` under the hood
+      @finding ||= @project.vulnerability_findings.lock_for_confirmation!(@finding_id)
+    end
  end
 end
--- a/ee/spec/factories/vulnerabilities/findings.rb
+++ b/ee/spec/factories/vulnerabilities/findings.rb
@@ -91,8 +91,15 @@ FactoryBot.define do
    end

    trait :dismissed do
+      with_dismissal_feedback
+
      after(:create) do |finding|
        create(:vulnerability, :dismissed, project: finding.project, findings: [finding])
+      end
+    end
+
+    trait :with_dismissal_feedback do
+      after(:create) do |finding|
        create(:vulnerability_feedback,
               :dismissal,
               project: finding.project,

--- a/ee/spec/services/vulnerabilities/create_service_spec.rb
+++ b/ee/spec/services/vulnerabilities/create_service_spec.rb
@@ -39,12 +39,15 @@ RSpec.describe Vulnerabilities::CreateService do
    end

    context 'and finding is dismissed' do
-      let(:finding) { create(:vulnerabilities_occurrence, :dismissed, project: project) }
+      let(:finding) { create(:vulnerabilities_occurrence, :with_dismissal_feedback, project: project) }
+      let(:vulnerability) { project.vulnerabilities.last }

-      it 'creates a vulnerability in a dismissed state' do
+      it 'creates a vulnerability in a dismissed state and sets dismissal information' do
        expect { subject }.to change { project.vulnerabilities.count }.by(1)

-        expect(project.vulnerabilities.last.state).to eq('dismissed')
+        expect(vulnerability.state).to eq('dismissed')
+        expect(vulnerability.dismissed_at).to eq(finding.dismissal_feedback.created_at)
+        expect(vulnerability.dismissed_by_id).to eq(finding.dismissal_feedback.author_id)
      end
    end