Commit 385c2634 authored by Michael Kozono's avatar Michael Kozono

Merge branch 'remove_vulnerability_finding_tracking_signatures_flag' into 'master'

Drops :vulnerability_finding_tracking_signatures flag

See merge request gitlab-org/gitlab!65924
parents 2b621e7a 5654dbaf
---
name: vulnerability_finding_tracking_signatures
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/54608
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/322044
milestone: '13.11'
type: development
group: group::vulnerability research
default_enabled: false
...@@ -155,7 +155,7 @@ module Security ...@@ -155,7 +155,7 @@ module Security
end end
def dismissal_feedback?(finding) def dismissal_feedback?(finding)
if ::Feature.enabled?(:vulnerability_finding_tracking_signatures, pipeline.project) && pipeline.project.licensed_feature_available?(:vulnerability_finding_signatures) && !finding.signatures.empty? if pipeline.project.licensed_feature_available?(:vulnerability_finding_signatures) && !finding.signatures.empty?
dismissal_feedback_by_finding_signatures(finding) dismissal_feedback_by_finding_signatures(finding)
else else
dismissal_feedback_by_project_fingerprint(finding) dismissal_feedback_by_project_fingerprint(finding)
......
...@@ -233,7 +233,7 @@ module EE ...@@ -233,7 +233,7 @@ module EE
end end
def parse_raw_security_artifact_blob(security_report, blob) def parse_raw_security_artifact_blob(security_report, blob)
signatures_enabled = ::Feature.enabled?(:vulnerability_finding_tracking_signatures, project) && project.licensed_feature_available?(:vulnerability_finding_signatures) signatures_enabled = project.licensed_feature_available?(:vulnerability_finding_signatures)
::Gitlab::Ci::Parsers.fabricate!(security_report.type, blob, security_report, signatures_enabled).parse! ::Gitlab::Ci::Parsers.fabricate!(security_report.type, blob, security_report, signatures_enabled).parse!
end end
......
...@@ -93,7 +93,7 @@ module EE ...@@ -93,7 +93,7 @@ module EE
strong_memoize(:security_report) do strong_memoize(:security_report) do
next unless file_type.in?(SECURITY_REPORT_FILE_TYPES) next unless file_type.in?(SECURITY_REPORT_FILE_TYPES)
signatures_enabled = ::Feature.enabled?(:vulnerability_finding_tracking_signatures, project) && project.licensed_feature_available?(:vulnerability_finding_signatures) signatures_enabled = project.licensed_feature_available?(:vulnerability_finding_signatures)
report = ::Gitlab::Ci::Reports::Security::Report.new(file_type, job.pipeline, nil).tap do |report| report = ::Gitlab::Ci::Reports::Security::Report.new(file_type, job.pipeline, nil).tap do |report|
each_blob do |blob| each_blob do |blob|
......
...@@ -317,7 +317,7 @@ module Vulnerabilities ...@@ -317,7 +317,7 @@ module Vulnerabilities
return false unless other.is_a?(self.class) return false unless other.is_a?(self.class)
return false unless other.report_type == report_type && other.primary_identifier_fingerprint == primary_identifier_fingerprint return false unless other.report_type == report_type && other.primary_identifier_fingerprint == primary_identifier_fingerprint
if ::Feature.enabled?(:vulnerability_finding_tracking_signatures, project) && project.licensed_feature_available?(:vulnerability_finding_signatures) if project.licensed_feature_available?(:vulnerability_finding_signatures)
matches_signatures(other.signatures, other.uuid) matches_signatures(other.signatures, other.uuid)
else else
other.location_fingerprint == location_fingerprint other.location_fingerprint == location_fingerprint
......
...@@ -80,7 +80,7 @@ module Security ...@@ -80,7 +80,7 @@ module Security
update_vulnerability_finding(vulnerability_finding, vulnerability_params) update_vulnerability_finding(vulnerability_finding, vulnerability_params)
reset_remediations_for(vulnerability_finding, finding) reset_remediations_for(vulnerability_finding, finding)
if ::Feature.enabled?(:vulnerability_finding_tracking_signatures, project) && project.licensed_feature_available?(:vulnerability_finding_signatures) if project.licensed_feature_available?(:vulnerability_finding_signatures)
update_feedbacks(vulnerability_finding, vulnerability_params[:uuid]) update_feedbacks(vulnerability_finding, vulnerability_params[:uuid])
update_finding_signatures(finding, vulnerability_finding) update_finding_signatures(finding, vulnerability_finding)
end end
...@@ -89,7 +89,7 @@ module Security ...@@ -89,7 +89,7 @@ module Security
end end
def find_or_create_vulnerability_finding(finding, create_params) def find_or_create_vulnerability_finding(finding, create_params)
if ::Feature.enabled?(:vulnerability_finding_tracking_signatures, project) && project.licensed_feature_available?(:vulnerability_finding_signatures) if project.licensed_feature_available?(:vulnerability_finding_signatures)
find_or_create_vulnerability_finding_with_signatures(finding, create_params) find_or_create_vulnerability_finding_with_signatures(finding, create_params)
else else
find_or_create_vulnerability_finding_with_location(finding, create_params) find_or_create_vulnerability_finding_with_location(finding, create_params)
......
...@@ -39,7 +39,7 @@ module Security ...@@ -39,7 +39,7 @@ module Security
end end
def override_uuids? def override_uuids?
::Feature.enabled?(:vulnerability_finding_tracking_signatures, project) && project.licensed_feature_available?(:vulnerability_finding_signatures) project.licensed_feature_available?(:vulnerability_finding_signatures)
end end
def security_scan def security_scan
......
...@@ -201,7 +201,7 @@ RSpec.describe Security::PipelineVulnerabilitiesFinder do ...@@ -201,7 +201,7 @@ RSpec.describe Security::PipelineVulnerabilitiesFinder do
let(:ds_finding) { pipeline.security_reports.reports["dependency_scanning"].findings.first } let(:ds_finding) { pipeline.security_reports.reports["dependency_scanning"].findings.first }
let(:sast_finding) { pipeline.security_reports.reports["sast"].findings.first } let(:sast_finding) { pipeline.security_reports.reports["sast"].findings.first }
context 'when vulnerability_finding_tracking_signatures feature flag is disabled' do context 'when vulnerability_finding_signatures feature is disabled' do
let!(:feedback) do let!(:feedback) do
[ [
create( create(
...@@ -228,7 +228,7 @@ RSpec.describe Security::PipelineVulnerabilitiesFinder do ...@@ -228,7 +228,7 @@ RSpec.describe Security::PipelineVulnerabilitiesFinder do
end end
before do before do
stub_feature_flags(vulnerability_finding_tracking_signatures: false) stub_licensed_features(sast: true, dependency_scanning: true, container_scanning: true, dast: true, vulnerability_finding_signatures: false)
end end
context 'when unscoped' do context 'when unscoped' do
...@@ -258,7 +258,7 @@ RSpec.describe Security::PipelineVulnerabilitiesFinder do ...@@ -258,7 +258,7 @@ RSpec.describe Security::PipelineVulnerabilitiesFinder do
end end
end end
context 'when vulnerability_finding_tracking_signatures feature flag is enabled' do context 'when vulnerability_finding_signatures feature is enabled' do
let!(:feedback) do let!(:feedback) do
[ [
create( create(
...@@ -275,7 +275,7 @@ RSpec.describe Security::PipelineVulnerabilitiesFinder do ...@@ -275,7 +275,7 @@ RSpec.describe Security::PipelineVulnerabilitiesFinder do
end end
before do before do
stub_feature_flags(vulnerability_finding_tracking_signatures: true) stub_licensed_features(sast: true, dependency_scanning: true, container_scanning: true, dast: true, vulnerability_finding_signatures: true)
end end
context 'when unscoped' do context 'when unscoped' do
......
...@@ -371,24 +371,21 @@ RSpec.describe Ci::Build do ...@@ -371,24 +371,21 @@ RSpec.describe Ci::Build do
end end
end end
context 'vulnerability_finding_tracking_signatures' do context 'vulnerability_finding_signatures' do
let!(:artifact) { create(:ee_ci_job_artifact, :sast, job: job, project: job.project) } let!(:artifact) { create(:ee_ci_job_artifact, :sast, job: job, project: job.project) }
where(vulnerability_finding_signatures_enabled: [true, false]) where(vulnerability_finding_signatures: [true, false])
with_them do with_them do
it 'parses the report' do it 'parses the report' do
stub_licensed_features( stub_licensed_features(
sast: true, sast: true,
vulnerability_finding_signatures: vulnerability_finding_signatures_enabled vulnerability_finding_signatures: vulnerability_finding_signatures
)
stub_feature_flags(
vulnerability_finding_tracking_signatures: vulnerability_finding_signatures_enabled
) )
expect(::Gitlab::Ci::Parsers::Security::Sast).to receive(:new).with( expect(::Gitlab::Ci::Parsers::Security::Sast).to receive(:new).with(
artifact.file.read, artifact.file.read,
kind_of(::Gitlab::Ci::Reports::Security::Report), kind_of(::Gitlab::Ci::Reports::Security::Report),
vulnerability_finding_signatures_enabled vulnerability_finding_signatures
) )
subject subject
......
# frozen_string_literal: true # frozen_string_literal: true
require 'spec_helper' require 'spec_helper'
RSpec.describe Vulnerabilities::Finding do RSpec.describe Vulnerabilities::Finding do
...@@ -8,12 +7,10 @@ RSpec.describe Vulnerabilities::Finding do ...@@ -8,12 +7,10 @@ RSpec.describe Vulnerabilities::Finding do
it { is_expected.to define_enum_for(:severity) } it { is_expected.to define_enum_for(:severity) }
it { is_expected.to define_enum_for(:detection_method) } it { is_expected.to define_enum_for(:detection_method) }
where(vulnerability_finding_signatures_enabled: [true, false]) where(vulnerability_finding_signatures: [true, false])
with_them do with_them do
before do before do
stub_feature_flags(vulnerability_finding_tracking_signatures: vulnerability_finding_signatures_enabled) stub_licensed_features(vulnerability_finding_signatures: vulnerability_finding_signatures)
stub_feature_flags(vulnerability_finding_replace_metadata: false)
stub_licensed_features(vulnerability_finding_signatures: vulnerability_finding_signatures_enabled)
end end
describe 'associations' do describe 'associations' do
...@@ -388,6 +385,10 @@ RSpec.describe Vulnerabilities::Finding do ...@@ -388,6 +385,10 @@ RSpec.describe Vulnerabilities::Finding do
end end
context 'when the feature flag is disabled' do context 'when the feature flag is disabled' do
before do
stub_feature_flags(vulnerability_finding_replace_metadata: false)
end
it 'returns links from raw_metadata' do it 'returns links from raw_metadata' do
expect(links).to eq([{ 'url' => 'https://raw.example.com', 'name' => 'raw_metadata_link' }]) expect(links).to eq([{ 'url' => 'https://raw.example.com', 'name' => 'raw_metadata_link' }])
end end
...@@ -966,7 +967,7 @@ RSpec.describe Vulnerabilities::Finding do ...@@ -966,7 +967,7 @@ RSpec.describe Vulnerabilities::Finding do
expect(signature1.eql?(signature2)).to be(true) expect(signature1.eql?(signature2)).to be(true)
# now verify that the correct matching method was used for eql? # now verify that the correct matching method was used for eql?
expect(finding1.eql?(finding2)).to be(vulnerability_finding_signatures_enabled) expect(finding1.eql?(finding2)).to be(vulnerability_finding_signatures)
end end
it 'wont match other record types' do it 'wont match other record types' do
...@@ -1035,7 +1036,7 @@ RSpec.describe Vulnerabilities::Finding do ...@@ -1035,7 +1036,7 @@ RSpec.describe Vulnerabilities::Finding do
end end
with_them do with_them do
it 'matches correctly' do it 'matches correctly' do
next unless vulnerability_finding_signatures_enabled next unless vulnerability_finding_signatures
create_signatures create_signatures
expect(finding1.eql?(finding2)).to be(should_match) expect(finding1.eql?(finding2)).to be(should_match)
......
...@@ -11,10 +11,10 @@ RSpec.describe Ci::CompareSecurityReportsService do ...@@ -11,10 +11,10 @@ RSpec.describe Ci::CompareSecurityReportsService do
collection.map { |t| t['identifiers'].first['external_id'] } collection.map { |t| t['identifiers'].first['external_id'] }
end end
where(vulnerability_finding_tracking_signatures_enabled: [true, false]) where(vulnerability_finding_signatures: [true, false])
with_them do with_them do
before do before do
stub_feature_flags(vulnerability_finding_tracking_signatures: vulnerability_finding_tracking_signatures_enabled) stub_licensed_features(vulnerability_finding_signatures: vulnerability_finding_signatures)
end end
describe '#execute DS' do describe '#execute DS' do
......
...@@ -15,19 +15,18 @@ RSpec.describe Security::StoreReportService, '#execute' do ...@@ -15,19 +15,18 @@ RSpec.describe Security::StoreReportService, '#execute' do
subject { described_class.new(pipeline, report).execute } subject { described_class.new(pipeline, report).execute }
where(:vulnerability_finding_signatures_enabled) do where(:vulnerability_finding_signatures) do
[true, false] [true, false]
end end
with_them do with_them do
before do before do
stub_feature_flags(vulnerability_finding_tracking_signatures: vulnerability_finding_signatures_enabled)
stub_licensed_features( stub_licensed_features(
sast: true, sast: true,
dependency_scanning: true, dependency_scanning: true,
container_scanning: true, container_scanning: true,
security_dashboard: true, security_dashboard: true,
vulnerability_finding_signatures: vulnerability_finding_signatures_enabled vulnerability_finding_signatures: vulnerability_finding_signatures
) )
allow(Security::AutoFixWorker).to receive(:perform_async) allow(Security::AutoFixWorker).to receive(:perform_async)
end end
...@@ -85,7 +84,7 @@ RSpec.describe Security::StoreReportService, '#execute' do ...@@ -85,7 +84,7 @@ RSpec.describe Security::StoreReportService, '#execute' do
end end
it 'inserts all signatures' do it 'inserts all signatures' do
signatures_count = vulnerability_finding_signatures_enabled ? signatures : 0 signatures_count = vulnerability_finding_signatures ? signatures : 0
expect { subject }.to change { Vulnerabilities::FindingSignature.count }.by(signatures_count) expect { subject }.to change { Vulnerabilities::FindingSignature.count }.by(signatures_count)
end end
end end
...@@ -408,7 +407,7 @@ RSpec.describe Security::StoreReportService, '#execute' do ...@@ -408,7 +407,7 @@ RSpec.describe Security::StoreReportService, '#execute' do
end end
it 'handles the error correctly' do it 'handles the error correctly' do
next unless vulnerability_finding_signatures_enabled next unless vulnerability_finding_signatures
report_finding = report.findings.find { |f| f.location.fingerprint == finding.location_fingerprint} report_finding = report.findings.find { |f| f.location.fingerprint == finding.location_fingerprint}
...@@ -418,7 +417,7 @@ RSpec.describe Security::StoreReportService, '#execute' do ...@@ -418,7 +417,7 @@ RSpec.describe Security::StoreReportService, '#execute' do
end end
it 'raises the error if there exists no vulnerability finding' do it 'raises the error if there exists no vulnerability finding' do
next unless vulnerability_finding_signatures_enabled next unless vulnerability_finding_signatures
allow(store_report_service).to receive(:sync_vulnerability_finding).and_raise(ActiveRecord::RecordNotUnique) allow(store_report_service).to receive(:sync_vulnerability_finding).and_raise(ActiveRecord::RecordNotUnique)
...@@ -429,7 +428,7 @@ RSpec.describe Security::StoreReportService, '#execute' do ...@@ -429,7 +428,7 @@ RSpec.describe Security::StoreReportService, '#execute' do
end end
it 'updates signatures to match new values' do it 'updates signatures to match new values' do
next unless vulnerability_finding_signatures_enabled next unless vulnerability_finding_signatures
expect(finding.signatures.count).to eq(1) expect(finding.signatures.count).to eq(1)
expect(finding.signatures.first.algorithm_type).to eq('hash') expect(finding.signatures.first.algorithm_type).to eq('hash')
...@@ -685,9 +684,6 @@ RSpec.describe Security::StoreReportService, '#execute' do ...@@ -685,9 +684,6 @@ RSpec.describe Security::StoreReportService, '#execute' do
security_dashboard: true, security_dashboard: true,
vulnerability_finding_signatures: false vulnerability_finding_signatures: false
) )
stub_feature_flags(
vulnerability_finding_tracking_signatures: false
)
expect do expect do
expect do expect do
...@@ -703,7 +699,6 @@ RSpec.describe Security::StoreReportService, '#execute' do ...@@ -703,7 +699,6 @@ RSpec.describe Security::StoreReportService, '#execute' do
security_dashboard: true, security_dashboard: true,
vulnerability_finding_signatures: true vulnerability_finding_signatures: true
) )
stub_feature_flags(vulnerability_finding_tracking_signatures: true)
pipeline, report = generate_new_pipeline pipeline, report = generate_new_pipeline
......
...@@ -59,59 +59,29 @@ RSpec.describe Security::StoreScanService do ...@@ -59,59 +59,29 @@ RSpec.describe Security::StoreScanService do
context 'when the `vulnerability_finding_signatures` licensed feature is available' do context 'when the `vulnerability_finding_signatures` licensed feature is available' do
before do before do
stub_feature_flags(vulnerability_finding_tracking_signatures: feature_enabled?)
stub_licensed_features(vulnerability_finding_signatures: true) stub_licensed_features(vulnerability_finding_signatures: true)
allow(Security::OverrideUuidsService).to receive(:execute) allow(Security::OverrideUuidsService).to receive(:execute)
end end
context 'when the `vulnerability_finding_tracking_signatures` feature is enabled' do it 'calls `Security::OverrideUuidsService` with security report to re-calculate the finding UUIDs' do
let(:feature_enabled?) { true } store_scan
it 'calls `Security::OverrideUuidsService` with security report to re-calculate the finding UUIDs' do
store_scan
expect(Security::OverrideUuidsService).to have_received(:execute).with(artifact.security_report)
end
end
context 'when the `vulnerability_finding_tracking_signatures` feature is disabled' do
let(:feature_enabled?) { false }
it 'does not call `Security::OverrideUuidsService`' do
store_scan
expect(Security::OverrideUuidsService).not_to have_received(:execute) expect(Security::OverrideUuidsService).to have_received(:execute).with(artifact.security_report)
end
end end
end end
context 'when the `vulnerability_finding_signatures` licensed feature is not available' do context 'when the `vulnerability_finding_signatures` licensed feature is not available' do
before do before do
stub_feature_flags(vulnerability_finding_tracking_signatures: feature_enabled?)
stub_licensed_features(vulnerability_finding_signatures: false) stub_licensed_features(vulnerability_finding_signatures: false)
allow(Security::OverrideUuidsService).to receive(:execute) allow(Security::OverrideUuidsService).to receive(:execute)
end end
context 'when the `vulnerability_finding_tracking_signatures` feature is enabled' do it 'does not call `Security::OverrideUuidsService`' do
let(:feature_enabled?) { true } store_scan
it 'does not call `Security::OverrideUuidsService`' do
store_scan
expect(Security::OverrideUuidsService).not_to have_received(:execute)
end
end
context 'when the `vulnerability_finding_tracking_signatures` feature is disabled' do
let(:feature_enabled?) { false }
it 'does not call `Security::OverrideUuidsService`' do
store_scan
expect(Security::OverrideUuidsService).not_to have_received(:execute) expect(Security::OverrideUuidsService).not_to have_received(:execute)
end
end end
end end
......
...@@ -15,10 +15,7 @@ module Gitlab ...@@ -15,10 +15,7 @@ module Gitlab
@base_report = base_report @base_report = base_report
@head_report = head_report @head_report = head_report
@signatures_enabled = ( @signatures_enabled = project.licensed_feature_available?(:vulnerability_finding_signatures)
::Feature.enabled?(:vulnerability_finding_tracking_signatures, project) &&
project.licensed_feature_available?(:vulnerability_finding_signatures)
)
if @signatures_enabled if @signatures_enabled
@added_findings = [] @added_findings = []
......
...@@ -24,12 +24,11 @@ RSpec.describe Gitlab::Ci::Reports::Security::VulnerabilityReportsComparer do ...@@ -24,12 +24,11 @@ RSpec.describe Gitlab::Ci::Reports::Security::VulnerabilityReportsComparer do
subject { described_class.new(project, base_report, head_report) } subject { described_class.new(project, base_report, head_report) }
where(vulnerability_finding_tracking_signatures_enabled: [true, false]) where(vulnerability_finding_signatures: [true, false])
with_them do with_them do
before do before do
stub_feature_flags(vulnerability_finding_tracking_signatures: vulnerability_finding_tracking_signatures_enabled) stub_licensed_features(vulnerability_finding_signatures: vulnerability_finding_signatures)
stub_licensed_features(vulnerability_finding_signatures: vulnerability_finding_tracking_signatures_enabled)
end end
describe '#base_report_out_of_date' do describe '#base_report_out_of_date' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment