Merge branch '119021-fix-project-security-status-missing-subgroups' into 'master'

Fix: include subgroups in security status

See merge request gitlab-org/gitlab!22653

ee/app/models/ee/group.rb

@@ -151,7 +151,12 @@ module EE
     end
 
     def vulnerable_projects
-      projects.where("EXISTS(?)", ::Vulnerabilities::Occurrence.select(1).undismissed.where('vulnerability_occurrences.project_id = projects.id'))
+      vulnerabilities = ::Vulnerabilities::Occurrence
+        .select(1)
+        .undismissed
+        .where('vulnerability_occurrences.project_id = projects.id')
+
+      ::Project.for_group_and_its_subgroups(self).where("EXISTS(?)", vulnerabilities)
     end
 
     def human_ldap_access

ee/changelogs/unreleased/119021-fix-project-security-status-missing-subgroups.yml

+---
+title: 'Fix include subgroups in security status'
+merge_request: 22653
+author:
+type: fixed

ee/spec/models/group_spec.rb

@@ -273,6 +273,17 @@ describe Group do
       expect(vulnerable_projects.first).to eq(vulnerable_project)
     end
 
+    it 'includes projects in subgroups' do
+      subgroup = create(:group, parent: group)
+      project = create(:project, namespace: subgroup)
+      create(:vulnerabilities_occurrence, project: project)
+
+      vulnerable_projects = group.vulnerable_projects
+
+      expect(vulnerable_projects.count).to be(1)
+      expect(vulnerable_projects.first).to eq(project)
+    end
+
     it 'does not include projects that only have dismissed vulnerabilities' do
       project = create(:project, namespace: group)
       vulnerability = create(:vulnerabilities_occurrence, report_type: :dast, project: project)