Commit c7cdd60c authored by Sean McGivern's avatar Sean McGivern

Merge branch 'improve_performance_of_has_vulnerabilities_scope' into 'master'

Add `has_vulnerabilities` flag into projects table

See merge request gitlab-org/gitlab!45944
parents 946b5774 dd802048
---
title: Add `has_vulnerabilities` column into project_settings table
merge_request: 45944
author:
type: added
# frozen_string_literal: true
class AddHasVulnerabilitiesIntoProjectSettings < ActiveRecord::Migration[6.0]
include Gitlab::Database::MigrationHelpers
DOWNTIME = false
def up
with_lock_retries do
add_column :project_settings, :has_vulnerabilities, :boolean, default: false, null: false
end
end
def down
with_lock_retries do
remove_column :project_settings, :has_vulnerabilities
end
end
end
# frozen_string_literal: true
class IndexProjectSettingsOnProjectIdPartially < ActiveRecord::Migration[6.0]
include Gitlab::Database::MigrationHelpers
DOWNTIME = false
INDEX_NAME = 'index_project_settings_on_project_id_partially'
disable_ddl_transaction!
def up
add_concurrent_index :project_settings, :project_id, name: INDEX_NAME, where: 'has_vulnerabilities IS TRUE'
end
def down
remove_concurrent_index_by_name :project_settings, INDEX_NAME
end
end
205cb628e9637bcd1acb90c5211b71b51015fa5f50aadcacd5fbafc4f09c00d0
\ No newline at end of file
9f942de6f83629a144e9d460b4bed7a246afe95275b5913745109fc0ab9dacc1
\ No newline at end of file
...@@ -15191,6 +15191,7 @@ CREATE TABLE project_settings ( ...@@ -15191,6 +15191,7 @@ CREATE TABLE project_settings (
allow_merge_on_skipped_pipeline boolean, allow_merge_on_skipped_pipeline boolean,
squash_option smallint DEFAULT 3, squash_option smallint DEFAULT 3,
has_confluence boolean DEFAULT false NOT NULL, has_confluence boolean DEFAULT false NOT NULL,
has_vulnerabilities boolean DEFAULT false NOT NULL,
CONSTRAINT check_bde223416c CHECK ((show_default_award_emojis IS NOT NULL)) CONSTRAINT check_bde223416c CHECK ((show_default_award_emojis IS NOT NULL))
); );
...@@ -21461,6 +21462,8 @@ CREATE UNIQUE INDEX index_project_repository_states_on_project_id ON project_rep ...@@ -21461,6 +21462,8 @@ CREATE UNIQUE INDEX index_project_repository_states_on_project_id ON project_rep
CREATE INDEX index_project_repository_storage_moves_on_project_id ON project_repository_storage_moves USING btree (project_id); CREATE INDEX index_project_repository_storage_moves_on_project_id ON project_repository_storage_moves USING btree (project_id);
CREATE INDEX index_project_settings_on_project_id_partially ON project_settings USING btree (project_id) WHERE (has_vulnerabilities IS TRUE);
CREATE UNIQUE INDEX index_project_settings_on_push_rule_id ON project_settings USING btree (push_rule_id); CREATE UNIQUE INDEX index_project_settings_on_push_rule_id ON project_settings USING btree (push_rule_id);
CREATE INDEX index_project_statistics_on_namespace_id ON project_statistics USING btree (namespace_id); CREATE INDEX index_project_statistics_on_namespace_id ON project_statistics USING btree (namespace_id);
......
...@@ -6,20 +6,35 @@ module Security ...@@ -6,20 +6,35 @@ module Security
class StoreReportsService < ::BaseService class StoreReportsService < ::BaseService
def initialize(pipeline) def initialize(pipeline)
@pipeline = pipeline @pipeline = pipeline
@errors = []
end end
def execute def execute
errors = [] store_reports
@pipeline.security_reports.reports.each do |report_type, report| mark_project_as_vulnerable!
result = StoreReportService.new(@pipeline, report).execute
errors.any? ? error(full_errors) : success
end
private
attr_reader :pipeline, :errors
delegate :project, to: :pipeline, private: true
def store_reports
pipeline.security_reports.reports.each do |report_type, report|
result = StoreReportService.new(pipeline, report).execute
errors << result[:message] if result[:status] == :error errors << result[:message] if result[:status] == :error
end end
end
if errors.any? def mark_project_as_vulnerable!
error(errors.join(", ")) project.project_setting.update!(has_vulnerabilities: true)
else
success
end end
def full_errors
errors.join(", ")
end end
end end
end end
...@@ -33,6 +33,10 @@ RSpec.describe Security::StoreReportsService do ...@@ -33,6 +33,10 @@ RSpec.describe Security::StoreReportsService do
subject subject
end end
it 'marks the project as vulnerable' do
expect { subject }.to change { project.project_setting.has_vulnerabilities }.from(false).to(true)
end
context 'when StoreReportService returns an error for a report' do context 'when StoreReportService returns an error for a report' do
let(:reports) { Gitlab::Ci::Reports::Security::Reports.new(pipeline) } let(:reports) { Gitlab::Ci::Reports::Security::Reports.new(pipeline) }
let(:sast_report) { reports.get_report('sast', sast_artifact) } let(:sast_report) { reports.get_report('sast', sast_artifact) }
......
...@@ -683,6 +683,7 @@ ProjectCiCdSetting: ...@@ -683,6 +683,7 @@ ProjectCiCdSetting:
ProjectSetting: ProjectSetting:
- allow_merge_on_skipped_pipeline - allow_merge_on_skipped_pipeline
- has_confluence - has_confluence
- has_vulnerabilities
ProtectedEnvironment: ProtectedEnvironment:
- id - id
- project_id - project_id
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment