Fix Security::FindingsFinder to return only the latest findings

Changelog: fixed EE: true

Fix Security::FindingsFinder to return only the latest findings
Changelog: fixed EE: true
38ab2ece · Mehmet Emin INAC · 192e2526 · 38ab2ece · 38ab2ece · 38ab2ece
Commit 38ab2ece authored Aug 16, 2021 by Mehmet Emin INAC
5 changed files
--- a/ee/app/finders/security/findings_finder.rb
+++ b/ee/app/finders/security/findings_finder.rb
@@ -132,6 +132,7 @@ module Security
              .with_scanner
              .deduplicated
              .ordered
+              .latest
              .page(page)
              .per(per_page)
              .then(&method(:by_confidence_levels))

--- a/ee/app/models/security/finding.rb
+++ b/ee/app/models/security/finding.rb
@@ -34,6 +34,7 @@ module Security
                .where('security_scans.id = security_findings.scan_id')
                .where('vulnerability_feedback.project_fingerprint = security_findings.project_fingerprint'))
    end
+    scope :latest, -> { joins(:scan).merge(Security::Scan.latest_successful_by_build) }
    scope :ordered, -> { order(severity: :desc, confidence: :desc, id: :asc) }
    scope :with_pipeline_entities, -> { includes(build: [:job_artifacts, :pipeline]) }
    scope :with_scan, -> { includes(:scan) }

--- a/ee/spec/factories/security_scans.rb
+++ b/ee/spec/factories/security_scans.rb
@@ -3,6 +3,6 @@
 FactoryBot.define do
  factory :security_scan, class: 'Security::Scan' do
    scan_type { 'dast' }
-    build factory: :ci_build
+    build factory: [:ci_build, :success]
  end
 end
--- a/ee/spec/finders/security/findings_finder_spec.rb
+++ b/ee/spec/finders/security/findings_finder_spec.rb
@@ -304,6 +304,41 @@ RSpec.describe Security::FindingsFinder do
          it { is_expected.to match_array(expected_fingerprints) }
        end

+        context 'when there is a retried build' do
+          let(:retried_build) { create(:ci_build, :success, :retried, name: 'dependency_scanning', pipeline: pipeline) }
+          let(:artifact) { create(:ee_ci_job_artifact, :dependency_scanning, job: retried_build) }
+          let(:report) { create(:ci_reports_security_report, pipeline: pipeline, type: :dependency_scanning) }
+          let(:report_types) { :dependency_scanning }
+          let(:expected_fingerprints) do
+            %w[
+              3204893d5894c74aaee86ce5bc28427f9f14e512
+              157f362acf654c60e224400f59a088e1c01b369f
+              4ae096451135db224b9e16818baaca8096896522
+            ]
+          end
+
+          before do
+            retried_content = File.read(artifact.file.path)
+            Gitlab::Ci::Parsers::Security::DependencyScanning.parse!(retried_content, report)
+            report.merge!(report)
+
+            scan = create(:security_scan, scan_type: retried_build.name, build: retried_build)
+
+            report.findings.each_with_index do |finding, index|
+              create(:security_finding,
+                     severity: finding.severity,
+                     confidence: finding.confidence,
+                     project_fingerprint: finding.project_fingerprint,
+                     uuid: finding.uuid,
+                     deduplicated: true,
+                     position: index,
+                     scan: scan)
+            end
+          end
+
+          it { is_expected.to match_array(expected_fingerprints) }
+        end
+
        context 'when a build has more than one security report artifacts' do
          let(:report_types) { :secret_detection }
          let(:secret_detection_report) { create(:ci_reports_security_report, pipeline: pipeline, type: :secret_detection) }

--- a/ee/spec/models/security/finding_spec.rb
+++ b/ee/spec/models/security/finding_spec.rb
@@ -143,4 +143,16 @@ RSpec.describe Security::Finding do
      })
    }
  end
+
+  describe '.latest' do
+    subject { described_class.latest }
+
+    let(:expected_findings) { [finding_2] }
+
+    before do
+      finding_1.build.update!(retried: true)
+    end
+
+    it { is_expected.to eq(expected_findings) }
+  end
 end