Merge branch '221074-display-vulnerabilities-on-pipeline-security-without-scanners' into 'master'

Resolve issue with showing Pipeline Occurrences without scanner See merge request gitlab-org/gitlab!35795

Merge branch '221074-display-vulnerabilities-on-pipeline-security-without-scanners' into 'master'
Resolve issue with showing Pipeline Occurrences without scanner See merge request gitlab-org/gitlab!35795
6990365a · Stan Hu · ce5c8c67 · 321c1bc5 · 6990365a · 6990365a
Commit 6990365a authored Jul 06, 2020 by Stan Hu
6 changed files
--- a/ee/app/finders/security/pipeline_vulnerabilities_finder.rb
+++ b/ee/app/finders/security/pipeline_vulnerabilities_finder.rb
@@ -89,7 +89,7 @@ module Security
        occurrence.vulnerability = vulnerabilities[occurrence.project_fingerprint]
        occurrence.project = pipeline.project
        occurrence.sha = pipeline.sha
-        occurrence.build_scanner(report_occurrence.scanner.to_hash)
+        occurrence.build_scanner(report_occurrence.scanner&.to_hash)
        occurrence.identifiers = report_occurrence.identifiers.map do |identifier|
          Vulnerabilities::Identifier.new(identifier.to_hash)
        end

--- a/ee/app/services/security/store_report_service.rb
+++ b/ee/app/services/security/store_report_service.rb
@@ -54,6 +54,8 @@ module Security
    # rubocop: disable CodeReuse/ActiveRecord
    def create_or_find_vulnerability_finding(occurrence, create_params)
+      return if occurrence.scanner.blank?
      find_params = {
        scanner: scanners_objects[occurrence.scanner.key],
        primary_identifier: identifiers_objects[occurrence.primary_identifier.key],
@@ -73,6 +75,8 @@ module Security
    end
    def update_vulnerability_scanner(occurrence)
+      return if occurrence.scanner.blank?
      scanner = scanners_objects[occurrence.scanner.key]
      scanner.update!(occurrence.scanner.to_hash)
    end
@@ -105,7 +109,7 @@ module Security
    def scanners_objects
      strong_memoize(:scanners_objects) do
        @report.scanners.map do |key, scanner|
-          [key, existing_scanner_objects[key] || project.vulnerability_scanners.build(scanner.to_hash)]
+          [key, existing_scanner_objects[key] || project.vulnerability_scanners.build(scanner&.to_hash)]
        end.to_h
      end
    end

--- a/ee/changelogs/unreleased/221074-display-vulnerabilities-on-pipeline-security-without-scanners.yml
+++ b/ee/changelogs/unreleased/221074-display-vulnerabilities-on-pipeline-security-without-scanners.yml
+---
+title: Display occurrences in Pipeline Security view when scanner information is missing
+merge_request: 35795
+author:
+type: fixed
--- a/ee/spec/factories/ci/job_artifacts.rb
+++ b/ee/spec/factories/ci/job_artifacts.rb
@@ -169,6 +169,16 @@ FactoryBot.define do
      end
    end
+    trait :sast_with_missing_scanner do
+      file_type { :sast }
+      file_format { :raw }
+      after(:build) do |artifact, _|
+        artifact.file = fixture_file_upload(
+          Rails.root.join('ee/spec/fixtures/security_reports/master/gl-sast-missing-scanner.json'), 'application/json')
+      end
+    end
    trait :license_management do
      to_create { |instance| instance.save(validate: false) }

--- a/ee/spec/finders/security/pipeline_vulnerabilities_finder_spec.rb
+++ b/ee/spec/finders/security/pipeline_vulnerabilities_finder_spec.rb
@@ -10,7 +10,7 @@ RSpec.describe Security::PipelineVulnerabilitiesFinder do
  end
  let_it_be(:project) { create(:project, :repository) }
-  let_it_be(:pipeline) { create(:ci_pipeline, :success, project: project) }
+  let_it_be(:pipeline, reload: true) { create(:ci_pipeline, :success, project: project) }
  describe '#execute' do
    let(:params) { {} }
@@ -23,7 +23,7 @@ RSpec.describe Security::PipelineVulnerabilitiesFinder do
    let_it_be(:artifact_cs) { create(:ee_ci_job_artifact, :container_scanning, job: build_cs, project: project) }
    let_it_be(:artifact_dast) { create(:ee_ci_job_artifact, :dast, job: build_dast, project: project) }
    let_it_be(:artifact_ds) { create(:ee_ci_job_artifact, :dependency_scanning, job: build_ds, project: project) }
-    let_it_be(:artifact_sast) { create(:ee_ci_job_artifact, :sast, job: build_sast, project: project) }
+    let!(:artifact_sast) { create(:ee_ci_job_artifact, :sast, job: build_sast, project: project) }
    let(:cs_count) { read_fixture(artifact_cs)['vulnerabilities'].count }
    let(:ds_count) { read_fixture(artifact_ds)['vulnerabilities'].count }
@@ -299,6 +299,16 @@ RSpec.describe Security::PipelineVulnerabilitiesFinder do
      end
    end
+    context 'when scanner is not provided in the report occurrences' do
+      let!(:artifact_sast) { create(:ee_ci_job_artifact, :sast_with_missing_scanner, job: build_sast, project: project) }
+      it 'sets empty scanner' do
+        sast_scanners = subject.occurrences.select(&:sast?).map(&:scanner)
+        expect(sast_scanners).to all(have_attributes(project_id: nil, external_id: nil, name: nil))
+      end
+    end
    def read_fixture(fixture)
      Gitlab::Json.parse(File.read(fixture.file.path))
    end

--- a/ee/spec/fixtures/security_reports/master/gl-sast-missing-scanner.json
+++ b/ee/spec/fixtures/security_reports/master/gl-sast-missing-scanner.json