Merge branch 'prioritize-appropriate-branch' into 'master'

Existing vulns should point to source tree See merge request gitlab-org/gitlab!17764

Merge branch 'prioritize-appropriate-branch' into 'master'
Existing vulns should point to source tree See merge request gitlab-org/gitlab!17764
715655f0 · Mayra Cabrera · 443fef89 · 211940b9 · 715655f0 · 715655f0
Commit 715655f0 authored Sep 30, 2019 by Mayra Cabrera
2 changed files
--- a/ee/lib/gitlab/ci/reports/security/vulnerability_reports_comparer.rb
+++ b/ee/lib/gitlab/ci/reports/security/vulnerability_reports_comparer.rb
@@ -9,8 +9,8 @@ module Gitlab

          attr_reader :base_report, :head_report

-          def initialize(base_report, head_report)
-            @base_report = base_report || []
+          def initialize(base_report = [], head_report = [])
+            @base_report = base_report
            @head_report = head_report
          end

@@ -28,7 +28,8 @@ module Gitlab

          def existing
            strong_memoize(:existing) do
-              base_report & head_report
+              # Existing vulnerabilities should point to source report for most recent information
+              head_report & base_report
            end
          end
        end

--- a/ee/spec/lib/gitlab/ci/reports/security/vulnerability_reports_comparer_spec.rb
+++ b/ee/spec/lib/gitlab/ci/reports/security/vulnerability_reports_comparer_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Gitlab::Ci::Reports::Security::VulnerabilityReportsComparer do
+  let!(:identifier) { create(:vulnerabilities_identifier) }
+  let!(:base_vulnerability) { build(:vulnerabilities_occurrence, report_type: :sast, identifiers: [identifier], location_fingerprint: '123') }
+  let!(:head_vulnerability) { build(:vulnerabilities_occurrence, report_type: :sast, identifiers: [identifier], location_fingerprint: '123') }
+
+  before do
+    allow(base_vulnerability).to receive(:location).and_return({})
+    allow(head_vulnerability).to receive(:location).and_return({})
+  end
+
+  describe '#existing' do
+    context 'with existing reports' do
+      let(:comparer) { described_class.new([base_vulnerability], [head_vulnerability]) }
+
+      it 'points to source tree' do
+        allow(head_vulnerability).to receive(:raw_metadata).and_return('')
+
+        expect(comparer.existing.count).to eq(1)
+        expect(comparer.existing).to eq([head_vulnerability])
+      end
+    end
+  end
+
+  describe '#added' do
+    let(:vuln) { build(:vulnerabilities_occurrence, report_type: :sast, identifiers: [identifier], location_fingerprint: '888') }
+
+    context 'with new vulnerability' do
+      let(:comparer) { described_class.new([base_vulnerability], [head_vulnerability, vuln]) }
+
+      it 'points to source tree' do
+        expect(comparer.added.count).to eq(1)
+        expect(comparer.added).to eq([vuln])
+      end
+    end
+  end
+
+  describe '#fixed' do
+    let(:vuln) { build(:vulnerabilities_occurrence, report_type: :sast, identifiers: [identifier], location_fingerprint: '888') }
+
+    context 'with fixed vulnerability' do
+      let(:comparer) { described_class.new([base_vulnerability, vuln], [head_vulnerability]) }
+
+      it 'points to base tree' do
+        expect(comparer.fixed.count).to eq(1)
+        expect(comparer.fixed).to eq([vuln])
+      end
+    end
+  end
+
+  describe 'with empty vulnerabilities' do
+    let(:comparer) { described_class.new }
+
+    it 'returns empty array when reports are not present' do
+      expect(comparer.existing).to be_empty
+      expect(comparer.fixed).to be_empty
+      expect(comparer.added).to be_empty
+    end
+  end
+end