Drops :vulnerability_finding_tracking_signatures flag

5654dbaf · rossfuhrman · Michael Kozono · b5758f26 · b5758f26 · 5654dbaf
Commit 5654dbaf authored Aug 16, 2021 by rossfuhrman Committed by Michael Kozono Aug 16, 2021
15 changed files
--- a/config/feature_flags/development/vulnerability_finding_tracking_signatures.yml
+++ b/config/feature_flags/development/vulnerability_finding_tracking_signatures.yml
---
-name: vulnerability_finding_tracking_signatures
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/54608
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/322044
-milestone: '13.11'
-type: development
-group: group::vulnerability research
-default_enabled: false
--- a/ee/app/finders/security/pipeline_vulnerabilities_finder.rb
+++ b/ee/app/finders/security/pipeline_vulnerabilities_finder.rb
@@ -155,7 +155,7 @@ module Security
    end

    def dismissal_feedback?(finding)
-      if ::Feature.enabled?(:vulnerability_finding_tracking_signatures, pipeline.project) && pipeline.project.licensed_feature_available?(:vulnerability_finding_signatures) && !finding.signatures.empty?
+      if pipeline.project.licensed_feature_available?(:vulnerability_finding_signatures) && !finding.signatures.empty?
        dismissal_feedback_by_finding_signatures(finding)
      else
        dismissal_feedback_by_project_fingerprint(finding)

--- a/ee/app/models/ee/ci/build.rb
+++ b/ee/app/models/ee/ci/build.rb
@@ -233,7 +233,7 @@ module EE
      end

      def parse_raw_security_artifact_blob(security_report, blob)
-        signatures_enabled = ::Feature.enabled?(:vulnerability_finding_tracking_signatures, project) && project.licensed_feature_available?(:vulnerability_finding_signatures)
+        signatures_enabled = project.licensed_feature_available?(:vulnerability_finding_signatures)
        ::Gitlab::Ci::Parsers.fabricate!(security_report.type, blob, security_report, signatures_enabled).parse!
      end


--- a/ee/app/models/ee/ci/job_artifact.rb
+++ b/ee/app/models/ee/ci/job_artifact.rb
@@ -93,7 +93,7 @@ module EE
      strong_memoize(:security_report) do
        next unless file_type.in?(SECURITY_REPORT_FILE_TYPES)

-        signatures_enabled = ::Feature.enabled?(:vulnerability_finding_tracking_signatures, project) && project.licensed_feature_available?(:vulnerability_finding_signatures)
+        signatures_enabled = project.licensed_feature_available?(:vulnerability_finding_signatures)

        report = ::Gitlab::Ci::Reports::Security::Report.new(file_type, job.pipeline, nil).tap do |report|
          each_blob do |blob|

--- a/ee/app/models/vulnerabilities/finding.rb
+++ b/ee/app/models/vulnerabilities/finding.rb
@@ -317,7 +317,7 @@ module Vulnerabilities
      return false unless other.is_a?(self.class)
      return false unless other.report_type == report_type && other.primary_identifier_fingerprint == primary_identifier_fingerprint

-      if ::Feature.enabled?(:vulnerability_finding_tracking_signatures, project) && project.licensed_feature_available?(:vulnerability_finding_signatures)
+      if project.licensed_feature_available?(:vulnerability_finding_signatures)
        matches_signatures(other.signatures, other.uuid)
      else
        other.location_fingerprint == location_fingerprint

--- a/ee/app/services/security/store_report_service.rb
+++ b/ee/app/services/security/store_report_service.rb
@@ -80,7 +80,7 @@ module Security
      update_vulnerability_finding(vulnerability_finding, vulnerability_params)
      reset_remediations_for(vulnerability_finding, finding)

-      if ::Feature.enabled?(:vulnerability_finding_tracking_signatures, project) && project.licensed_feature_available?(:vulnerability_finding_signatures)
+      if project.licensed_feature_available?(:vulnerability_finding_signatures)
        update_feedbacks(vulnerability_finding, vulnerability_params[:uuid])
        update_finding_signatures(finding, vulnerability_finding)
      end
@@ -89,7 +89,7 @@ module Security
    end

    def find_or_create_vulnerability_finding(finding, create_params)
-      if ::Feature.enabled?(:vulnerability_finding_tracking_signatures, project) && project.licensed_feature_available?(:vulnerability_finding_signatures)
+      if project.licensed_feature_available?(:vulnerability_finding_signatures)
        find_or_create_vulnerability_finding_with_signatures(finding, create_params)
      else
        find_or_create_vulnerability_finding_with_location(finding, create_params)

--- a/ee/app/services/security/store_scan_service.rb
+++ b/ee/app/services/security/store_scan_service.rb
@@ -39,7 +39,7 @@ module Security
    end

    def override_uuids?
-      ::Feature.enabled?(:vulnerability_finding_tracking_signatures, project) && project.licensed_feature_available?(:vulnerability_finding_signatures)
+      project.licensed_feature_available?(:vulnerability_finding_signatures)
    end

    def security_scan

--- a/ee/spec/finders/security/pipeline_vulnerabilities_finder_spec.rb
+++ b/ee/spec/finders/security/pipeline_vulnerabilities_finder_spec.rb
@@ -201,7 +201,7 @@ RSpec.describe Security::PipelineVulnerabilitiesFinder do
      let(:ds_finding) { pipeline.security_reports.reports["dependency_scanning"].findings.first }
      let(:sast_finding) { pipeline.security_reports.reports["sast"].findings.first }

-      context 'when vulnerability_finding_tracking_signatures feature flag is disabled' do
+      context 'when vulnerability_finding_signatures feature is disabled' do
        let!(:feedback) do
          [
            create(
@@ -228,7 +228,7 @@ RSpec.describe Security::PipelineVulnerabilitiesFinder do
        end

        before do
-          stub_feature_flags(vulnerability_finding_tracking_signatures: false)
+          stub_licensed_features(sast: true, dependency_scanning: true, container_scanning: true, dast: true, vulnerability_finding_signatures: false)
        end

        context 'when unscoped' do
@@ -258,7 +258,7 @@ RSpec.describe Security::PipelineVulnerabilitiesFinder do
        end
      end

-      context 'when vulnerability_finding_tracking_signatures feature flag is enabled' do
+      context 'when vulnerability_finding_signatures feature is enabled' do
        let!(:feedback) do
          [
            create(
@@ -275,7 +275,7 @@ RSpec.describe Security::PipelineVulnerabilitiesFinder do
        end

        before do
-          stub_feature_flags(vulnerability_finding_tracking_signatures: true)
+          stub_licensed_features(sast: true, dependency_scanning: true, container_scanning: true, dast: true, vulnerability_finding_signatures: true)
        end

        context 'when unscoped' do

--- a/ee/spec/models/ci/build_spec.rb
+++ b/ee/spec/models/ci/build_spec.rb
@@ -371,24 +371,21 @@ RSpec.describe Ci::Build do
        end
      end

-      context 'vulnerability_finding_tracking_signatures' do
+      context 'vulnerability_finding_signatures' do
        let!(:artifact) { create(:ee_ci_job_artifact, :sast, job: job, project: job.project) }

-        where(vulnerability_finding_signatures_enabled: [true, false])
+        where(vulnerability_finding_signatures: [true, false])
        with_them do
          it 'parses the report' do
            stub_licensed_features(
              sast: true,
-              vulnerability_finding_signatures: vulnerability_finding_signatures_enabled
-            )
-            stub_feature_flags(
-              vulnerability_finding_tracking_signatures: vulnerability_finding_signatures_enabled
+              vulnerability_finding_signatures: vulnerability_finding_signatures
            )

            expect(::Gitlab::Ci::Parsers::Security::Sast).to receive(:new).with(
              artifact.file.read,
              kind_of(::Gitlab::Ci::Reports::Security::Report),
-              vulnerability_finding_signatures_enabled
+              vulnerability_finding_signatures
            )

            subject

--- a/ee/spec/models/vulnerabilities/finding_spec.rb
+++ b/ee/spec/models/vulnerabilities/finding_spec.rb
 # frozen_string_literal: true
-
 require 'spec_helper'

 RSpec.describe Vulnerabilities::Finding do
@@ -8,12 +7,10 @@ RSpec.describe Vulnerabilities::Finding do
  it { is_expected.to define_enum_for(:severity) }
  it { is_expected.to define_enum_for(:detection_method) }

-  where(vulnerability_finding_signatures_enabled: [true, false])
+  where(vulnerability_finding_signatures: [true, false])
  with_them do
    before do
-      stub_feature_flags(vulnerability_finding_tracking_signatures: vulnerability_finding_signatures_enabled)
-      stub_feature_flags(vulnerability_finding_replace_metadata: false)
-      stub_licensed_features(vulnerability_finding_signatures: vulnerability_finding_signatures_enabled)
+      stub_licensed_features(vulnerability_finding_signatures: vulnerability_finding_signatures)
    end

    describe 'associations' do
@@ -388,6 +385,10 @@ RSpec.describe Vulnerabilities::Finding do
        end

        context 'when the feature flag is disabled' do
+          before do
+            stub_feature_flags(vulnerability_finding_replace_metadata: false)
+          end
+
          it 'returns links from raw_metadata' do
            expect(links).to eq([{ 'url' => 'https://raw.example.com', 'name' => 'raw_metadata_link' }])
          end
@@ -966,7 +967,7 @@ RSpec.describe Vulnerabilities::Finding do
        expect(signature1.eql?(signature2)).to be(true)

        # now verify that the correct matching method was used for eql?
-        expect(finding1.eql?(finding2)).to be(vulnerability_finding_signatures_enabled)
+        expect(finding1.eql?(finding2)).to be(vulnerability_finding_signatures)
      end

      it 'wont match other record types' do
@@ -1035,7 +1036,7 @@ RSpec.describe Vulnerabilities::Finding do
        end
        with_them do
          it 'matches correctly' do
-            next unless vulnerability_finding_signatures_enabled
+            next unless vulnerability_finding_signatures

            create_signatures
            expect(finding1.eql?(finding2)).to be(should_match)

--- a/ee/spec/services/ci/compare_security_reports_service_spec.rb
+++ b/ee/spec/services/ci/compare_security_reports_service_spec.rb
@@ -11,10 +11,10 @@ RSpec.describe Ci::CompareSecurityReportsService do
    collection.map { |t| t['identifiers'].first['external_id'] }
  end

-  where(vulnerability_finding_tracking_signatures_enabled: [true, false])
+  where(vulnerability_finding_signatures: [true, false])
  with_them do
    before do
-      stub_feature_flags(vulnerability_finding_tracking_signatures: vulnerability_finding_tracking_signatures_enabled)
+      stub_licensed_features(vulnerability_finding_signatures: vulnerability_finding_signatures)
    end

    describe '#execute DS' do

--- a/ee/spec/services/security/store_report_service_spec.rb
+++ b/ee/spec/services/security/store_report_service_spec.rb
@@ -15,19 +15,18 @@ RSpec.describe Security::StoreReportService, '#execute' do

  subject { described_class.new(pipeline, report).execute }

-  where(:vulnerability_finding_signatures_enabled) do
+  where(:vulnerability_finding_signatures) do
    [true, false]
  end

  with_them do
    before do
-      stub_feature_flags(vulnerability_finding_tracking_signatures: vulnerability_finding_signatures_enabled)
      stub_licensed_features(
        sast: true,
        dependency_scanning: true,
        container_scanning: true,
        security_dashboard: true,
-        vulnerability_finding_signatures: vulnerability_finding_signatures_enabled
+        vulnerability_finding_signatures: vulnerability_finding_signatures
      )
      allow(Security::AutoFixWorker).to receive(:perform_async)
    end
@@ -85,7 +84,7 @@ RSpec.describe Security::StoreReportService, '#execute' do
          end

          it 'inserts all signatures' do
-            signatures_count = vulnerability_finding_signatures_enabled ? signatures : 0
+            signatures_count = vulnerability_finding_signatures ? signatures : 0
            expect { subject }.to change { Vulnerabilities::FindingSignature.count }.by(signatures_count)
          end
        end
@@ -408,7 +407,7 @@ RSpec.describe Security::StoreReportService, '#execute' do
        end

        it 'handles the error correctly' do
-          next unless vulnerability_finding_signatures_enabled
+          next unless vulnerability_finding_signatures

          report_finding = report.findings.find { |f| f.location.fingerprint == finding.location_fingerprint}

@@ -418,7 +417,7 @@ RSpec.describe Security::StoreReportService, '#execute' do
        end

        it 'raises the error if there exists no vulnerability finding' do
-          next unless vulnerability_finding_signatures_enabled
+          next unless vulnerability_finding_signatures

          allow(store_report_service).to receive(:sync_vulnerability_finding).and_raise(ActiveRecord::RecordNotUnique)

@@ -429,7 +428,7 @@ RSpec.describe Security::StoreReportService, '#execute' do
      end

      it 'updates signatures to match new values' do
-        next unless vulnerability_finding_signatures_enabled
+        next unless vulnerability_finding_signatures

        expect(finding.signatures.count).to eq(1)
        expect(finding.signatures.first.algorithm_type).to eq('hash')
@@ -685,9 +684,6 @@ RSpec.describe Security::StoreReportService, '#execute' do
        security_dashboard: true,
        vulnerability_finding_signatures: false
      )
-      stub_feature_flags(
-        vulnerability_finding_tracking_signatures: false
-      )

      expect do
        expect do
@@ -703,7 +699,6 @@ RSpec.describe Security::StoreReportService, '#execute' do
        security_dashboard: true,
        vulnerability_finding_signatures: true
      )
-      stub_feature_flags(vulnerability_finding_tracking_signatures: true)

      pipeline, report = generate_new_pipeline


--- a/ee/spec/services/security/store_scan_service_spec.rb
+++ b/ee/spec/services/security/store_scan_service_spec.rb
@@ -59,59 +59,29 @@ RSpec.describe Security::StoreScanService do

    context 'when the `vulnerability_finding_signatures` licensed feature is available' do
      before do
-        stub_feature_flags(vulnerability_finding_tracking_signatures: feature_enabled?)
        stub_licensed_features(vulnerability_finding_signatures: true)

        allow(Security::OverrideUuidsService).to receive(:execute)
      end

-      context 'when the `vulnerability_finding_tracking_signatures` feature is enabled' do
-        let(:feature_enabled?) { true }
-
-        it 'calls `Security::OverrideUuidsService` with security report to re-calculate the finding UUIDs' do
-          store_scan
-
-          expect(Security::OverrideUuidsService).to have_received(:execute).with(artifact.security_report)
-        end
-      end
-
-      context 'when the `vulnerability_finding_tracking_signatures` feature is disabled' do
-        let(:feature_enabled?) { false }
-
-        it 'does not call `Security::OverrideUuidsService`' do
-          store_scan
+      it 'calls `Security::OverrideUuidsService` with security report to re-calculate the finding UUIDs' do
+        store_scan

-          expect(Security::OverrideUuidsService).not_to have_received(:execute)
-        end
+        expect(Security::OverrideUuidsService).to have_received(:execute).with(artifact.security_report)
      end
    end

    context 'when the `vulnerability_finding_signatures` licensed feature is not available' do
      before do
-        stub_feature_flags(vulnerability_finding_tracking_signatures: feature_enabled?)
        stub_licensed_features(vulnerability_finding_signatures: false)

        allow(Security::OverrideUuidsService).to receive(:execute)
      end

-      context 'when the `vulnerability_finding_tracking_signatures` feature is enabled' do
-        let(:feature_enabled?) { true }
-
-        it 'does not call `Security::OverrideUuidsService`' do
-          store_scan
-
-          expect(Security::OverrideUuidsService).not_to have_received(:execute)
-        end
-      end
-
-      context 'when the `vulnerability_finding_tracking_signatures` feature is disabled' do
-        let(:feature_enabled?) { false }
-
-        it 'does not call `Security::OverrideUuidsService`' do
-          store_scan
+      it 'does not call `Security::OverrideUuidsService`' do
+        store_scan

-          expect(Security::OverrideUuidsService).not_to have_received(:execute)
-        end
+        expect(Security::OverrideUuidsService).not_to have_received(:execute)
      end
    end


--- a/lib/gitlab/ci/reports/security/vulnerability_reports_comparer.rb
+++ b/lib/gitlab/ci/reports/security/vulnerability_reports_comparer.rb
@@ -15,10 +15,7 @@ module Gitlab
            @base_report = base_report
            @head_report = head_report

-            @signatures_enabled = (
-              ::Feature.enabled?(:vulnerability_finding_tracking_signatures, project) &&
-              project.licensed_feature_available?(:vulnerability_finding_signatures)
-            )
+            @signatures_enabled = project.licensed_feature_available?(:vulnerability_finding_signatures)

            if @signatures_enabled
              @added_findings = []

--- a/spec/lib/gitlab/ci/reports/security/vulnerability_reports_comparer_spec.rb
+++ b/spec/lib/gitlab/ci/reports/security/vulnerability_reports_comparer_spec.rb
@@ -24,12 +24,11 @@ RSpec.describe Gitlab::Ci::Reports::Security::VulnerabilityReportsComparer do

  subject { described_class.new(project, base_report, head_report) }

-  where(vulnerability_finding_tracking_signatures_enabled: [true, false])
+  where(vulnerability_finding_signatures: [true, false])

  with_them do
    before do
-      stub_feature_flags(vulnerability_finding_tracking_signatures: vulnerability_finding_tracking_signatures_enabled)
-      stub_licensed_features(vulnerability_finding_signatures: vulnerability_finding_tracking_signatures_enabled)
+      stub_licensed_features(vulnerability_finding_signatures: vulnerability_finding_signatures)
    end

    describe '#base_report_out_of_date' do