Merge branch 'hot_fix_store_report_service' into 'master'

Fix `StoreReportService` by falling back to find by location approach

See merge request gitlab-org/gitlab!67568

ee/app/services/security/store_report_service.rb

@@ -165,9 +165,6 @@ module Security
 
         vulnerability_finding
       rescue ActiveRecord::RecordNotUnique => e
-        # the uuid is the only unique constraint on the vulnerability_occurrences
-        # table - no need to use get_matched_findings(...).first here. Fetching
-        # the finding with the same uuid will be enough
         vulnerability_finding = project.vulnerability_findings.reset.find_by(uuid: finding.uuid)
         if vulnerability_finding
           sync_vulnerability_finding(vulnerability_finding, finding, create_params.dig(:location))
@@ -175,6 +172,19 @@ module Security
           return vulnerability_finding
         end
 
+        find_params = {
+          scanner: scanners_objects[finding.scanner.key],
+          primary_identifier: identifiers_objects[finding.primary_identifier.key],
+          location_fingerprint: finding.location.fingerprint
+        }
+
+        vulnerability_finding = project.vulnerability_findings.reset.find_by(find_params)
+        if vulnerability_finding
+          sync_vulnerability_finding(vulnerability_finding, finding, create_params.dig(:location))
+          vulnerability_finding.save!
+          return vulnerability_finding
+        end
+
         Gitlab::ErrorTracking.track_and_raise_exception(e, find_params: find_params, uuid: finding.uuid)
       rescue ActiveRecord::RecordInvalid => e
         Gitlab::ErrorTracking.track_and_raise_exception(e, create_params: create_params&.dig(:raw_metadata))

ee/spec/services/security/store_report_service_spec.rb

@@ -319,6 +319,23 @@ RSpec.describe Security::StoreReportService, '#execute' do
                location_fingerprint: '34661e23abcf78ff80dfcc89d0700437612e3f88')
       end
 
+      let(:identifier_of_corrupted_finding) do
+        create(:vulnerabilities_identifier,
+               project: project,
+               fingerprint: '5848739446034d982ef7beece3bb19bff4044ffb')
+      end
+
+      let!(:finding_with_wrong_uuidv5) do
+        create(:vulnerabilities_finding,
+               pipelines: [pipeline],
+               identifiers: [identifier_of_corrupted_finding],
+               primary_identifier: identifier_of_corrupted_finding,
+               scanner: scanner,
+               project: project,
+               uuid: 'd588ff5c-7f65-5ac1-9d11-4f57d65f3faf',
+               location_fingerprint: '650bd2dbdad33d2859747c6ae83dcf448ce02394')
+      end
+
       let!(:vulnerability_with_uuid5) { create(:vulnerability, findings: [finding_with_uuidv5], project: project) }
 
       before do
@@ -351,11 +368,11 @@ RSpec.describe Security::StoreReportService, '#execute' do
       end
 
       it 'inserts only new identifiers and reuse existing ones' do
-        expect { subject }.to change { Vulnerabilities::Identifier.count }.by(5)
+        expect { subject }.to change { Vulnerabilities::Identifier.count }.by(4)
       end
 
       it 'inserts only new findings and reuse existing ones' do
-        expect { subject }.to change { Vulnerabilities::Finding.count }.by(4)
+        expect { subject }.to change { Vulnerabilities::Finding.count }.by(3)
       end
 
       it 'inserts all finding pipelines (join model) for this new pipeline' do