Merge branch '325612_do_not_return_vulnerabilities_without_findings' into 'master'

Fix `Security::FindingsFinder` for multiple report artifacts See merge request gitlab-org/gitlab!62643

Merge branch '325612_do_not_return_vulnerabilities_without_findings' into 'master'
Fix `Security::FindingsFinder` for multiple report artifacts See merge request gitlab-org/gitlab!62643
d6f48795 · Toon Claes · 3d4ef6f1 · ae8c9189 · d6f48795 · d6f48795
Commit d6f48795 authored Jun 01, 2021 by Toon Claes
Showing with 34 additions and 7 deletions

ee/app/finders/security/findings_finder.rb ee/app/finders/security/findings_finder.rb +3 -3

ee/spec/finders/security/findings_finder_spec.rb ee/spec/finders/security/findings_finder_spec.rb +31 -4

No files found.
--- a/ee/app/finders/security/findings_finder.rb
+++ b/ee/app/finders/security/findings_finder.rb
@@ -96,10 +96,10 @@ module Security
    def report_findings
      @report_findings ||= begin
        builds.each_with_object({}) do |build, memo|
-          report = build.job_artifacts.map(&:security_report).compact.first
-          next unless report
+          reports = build.job_artifacts.map(&:security_report).compact
+          next unless reports.present?

-          memo[build.id] = report.findings.group_by(&:uuid).transform_values(&:first)
+          memo[build.id] = reports.flat_map(&:findings).index_by(&:uuid)
        end
      end
    end

--- a/ee/spec/finders/security/findings_finder_spec.rb
+++ b/ee/spec/finders/security/findings_finder_spec.rb
@@ -4,10 +4,10 @@ require 'spec_helper'

 RSpec.describe Security::FindingsFinder do
  let_it_be(:pipeline) { create(:ci_pipeline) }
-  let_it_be(:build_ds) { create(:ci_build, :success, name: 'dependency_scanning', pipeline: pipeline) }
-  let_it_be(:build_sast) { create(:ci_build, :success, name: 'sast', pipeline: pipeline) }
-  let_it_be(:artifact_ds) { create(:ee_ci_job_artifact, :dependency_scanning, job: build_ds) }
-  let_it_be(:artifact_sast) { create(:ee_ci_job_artifact, :sast, job: build_sast) }
+  let_it_be(:build_1) { create(:ci_build, :success, name: 'dependency_scanning', pipeline: pipeline) }
+  let_it_be(:build_2) { create(:ci_build, :success, name: 'sast', pipeline: pipeline) }
+  let_it_be(:artifact_ds) { create(:ee_ci_job_artifact, :dependency_scanning, job: build_1) }
+  let_it_be(:artifact_sast) { create(:ee_ci_job_artifact, :sast, job: build_2) }
  let_it_be(:report_ds) { create(:ci_reports_security_report, pipeline: pipeline, type: :dependency_scanning) }
  let_it_be(:report_sast) { create(:ci_reports_security_report, pipeline: pipeline, type: :sast) }

@@ -270,6 +270,33 @@ RSpec.describe Security::FindingsFinder do

          it { is_expected.to match_array(expected_fingerprints) }
        end
+
+        context 'when a build has more than one security report artifacts' do
+          let(:report_types) { :secret_detection }
+          let(:secret_detection_report) { create(:ci_reports_security_report, pipeline: pipeline, type: :secret_detection) }
+          let(:expected_fingerprints) { secret_detection_report.findings.map(&:project_fingerprint) }
+
+          before do
+            scan = create(:security_scan, scan_type: :secret_detection, build: build_2)
+            artifact = create(:ee_ci_job_artifact, :secret_detection, job: build_2)
+            report_content = File.read(artifact.file.path)
+
+            Gitlab::Ci::Parsers::Security::SecretDetection.parse!(report_content, secret_detection_report)
+
+            secret_detection_report.findings.each_with_index do |finding, index|
+              create(:security_finding,
+                     severity: finding.severity,
+                     confidence: finding.confidence,
+                     project_fingerprint: finding.project_fingerprint,
+                     uuid: finding.uuid,
+                     deduplicated: true,
+                     position: index,
+                     scan: scan)
+            end
+          end
+
+          it { is_expected.to match_array(expected_fingerprints) }
+        end
      end
    end
  end