Merge branch 'improve_performance_of_has_vulnerabilities_scope' into 'master'

Add `has_vulnerabilities` flag into projects table See merge request gitlab-org/gitlab!45944

Merge branch 'improve_performance_of_has_vulnerabilities_scope' into 'master'
Add `has_vulnerabilities` flag into projects table See merge request gitlab-org/gitlab!45944
c7cdd60c · Sean McGivern · 946b5774 · dd802048 · c7cdd60c · c7cdd60c
Commit c7cdd60c authored Nov 03, 2020 by Sean McGivern
9 changed files
--- a/changelogs/unreleased/improve_performance_of_has_vulnerabilities_scope.yml
+++ b/changelogs/unreleased/improve_performance_of_has_vulnerabilities_scope.yml
+---
+title: Add `has_vulnerabilities` column into project_settings table
+merge_request: 45944
+author:
+type: added
--- a/db/migrate/20201022191817_add_has_vulnerabilities_into_project_settings.rb
+++ b/db/migrate/20201022191817_add_has_vulnerabilities_into_project_settings.rb
+# frozen_string_literal: true
+class AddHasVulnerabilitiesIntoProjectSettings < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+  DOWNTIME = false
+  def up
+    with_lock_retries do
+      add_column :project_settings, :has_vulnerabilities, :boolean, default: false, null: false
+    end
+  end
+  def down
+    with_lock_retries do
+      remove_column :project_settings, :has_vulnerabilities
+    end
+  end
+end
--- a/db/migrate/20201022192254_index_project_settings_on_project_id_partially.rb
+++ b/db/migrate/20201022192254_index_project_settings_on_project_id_partially.rb
+# frozen_string_literal: true
+class IndexProjectSettingsOnProjectIdPartially < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+  DOWNTIME = false
+  INDEX_NAME = 'index_project_settings_on_project_id_partially'
+  disable_ddl_transaction!
+  def up
+    add_concurrent_index :project_settings, :project_id, name: INDEX_NAME, where: 'has_vulnerabilities IS TRUE'
+  end
+  def down
+    remove_concurrent_index_by_name :project_settings, INDEX_NAME
+  end
+end
--- a/db/schema_migrations/20201022191817
+++ b/db/schema_migrations/20201022191817
+205cb628e9637bcd1acb90c5211b71b51015fa5f50aadcacd5fbafc4f09c00d0
\ No newline at end of file
--- a/db/schema_migrations/20201022192254
+++ b/db/schema_migrations/20201022192254
+9f942de6f83629a144e9d460b4bed7a246afe95275b5913745109fc0ab9dacc1
\ No newline at end of file
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -15191,6 +15191,7 @@ CREATE TABLE project_settings (
    allow_merge_on_skipped_pipeline boolean,
    squash_option smallint DEFAULT 3,
    has_confluence boolean DEFAULT false NOT NULL,
+    has_vulnerabilities boolean DEFAULT false NOT NULL,
    CONSTRAINT check_bde223416c CHECK ((show_default_award_emojis IS NOT NULL))
 );
@@ -21461,6 +21462,8 @@ CREATE UNIQUE INDEX index_project_repository_states_on_project_id ON project_rep
 CREATE INDEX index_project_repository_storage_moves_on_project_id ON project_repository_storage_moves USING btree (project_id);
+CREATE INDEX index_project_settings_on_project_id_partially ON project_settings USING btree (project_id) WHERE (has_vulnerabilities IS TRUE);
 CREATE UNIQUE INDEX index_project_settings_on_push_rule_id ON project_settings USING btree (push_rule_id);
 CREATE INDEX index_project_statistics_on_namespace_id ON project_statistics USING btree (namespace_id);

--- a/ee/app/services/security/store_reports_service.rb
+++ b/ee/app/services/security/store_reports_service.rb
@@ -6,20 +6,35 @@ module Security
  class StoreReportsService < ::BaseService
    def initialize(pipeline)
      @pipeline = pipeline
+      @errors = []
    end
    def execute
-      errors = []
+      store_reports
-      @pipeline.security_reports.reports.each do |report_type, report|
+      mark_project_as_vulnerable!
-        result = StoreReportService.new(@pipeline, report).execute
+      errors.any? ? error(full_errors) : success
+    end
+    private
+    attr_reader :pipeline, :errors
+    delegate :project, to: :pipeline, private: true
+    def store_reports
+      pipeline.security_reports.reports.each do |report_type, report|
+        result = StoreReportService.new(pipeline, report).execute
        errors << result[:message] if result[:status] == :error
      end
+    end
-      if errors.any?
+    def mark_project_as_vulnerable!
-        error(errors.join(", "))
+      project.project_setting.update!(has_vulnerabilities: true)
-      else
+    end
-        success
-      end
+    def full_errors
+      errors.join(", ")
    end
  end
 end
--- a/ee/spec/services/security/store_reports_service_spec.rb
+++ b/ee/spec/services/security/store_reports_service_spec.rb
@@ -33,6 +33,10 @@ RSpec.describe Security::StoreReportsService do
        subject
      end
+      it 'marks the project as vulnerable' do
+        expect { subject }.to change { project.project_setting.has_vulnerabilities }.from(false).to(true)
+      end
      context 'when StoreReportService returns an error for a report' do
        let(:reports) { Gitlab::Ci::Reports::Security::Reports.new(pipeline) }
        let(:sast_report) { reports.get_report('sast', sast_artifact) }

--- a/spec/lib/gitlab/import_export/safe_model_attributes.yml
+++ b/spec/lib/gitlab/import_export/safe_model_attributes.yml
@@ -683,6 +683,7 @@ ProjectCiCdSetting:
 ProjectSetting:
 - allow_merge_on_skipped_pipeline
 - has_confluence
+- has_vulnerabilities
 ProtectedEnvironment:
 - id
 - project_id