Use latest successful pipeline with security jobs

Sometimes, the pipeline for the default branch will not run security-related jobs. When that happens all vulnerabilities would be marked as fixed on the default branch where it would not be the case.

Use latest successful pipeline with security jobs
Sometimes, the pipeline for the default branch will not run security-related jobs. When that happens all vulnerabilities would be marked as fixed on the default branch where it would not be the case.
e0db32c1 · Michał Zając · b341cb26 · e0db32c1 · e0db32c1 · e0db32c1
Commit e0db32c1 authored Jul 28, 2020 by Michał Zając
4 changed files
--- a/ee/app/models/vulnerability.rb
+++ b/ee/app/models/vulnerability.rb
@@ -142,9 +142,26 @@ class Vulnerability < ApplicationRecord
  def resolved_on_default_branch
    return false unless findings.any?

-    latest_successful_pipeline_for_default_branch = project.latest_successful_pipeline_for_default_branch
-    latest_pipeline_with_vulnerability = finding.pipelines.order(created_at: :desc).first
-    latest_pipeline_with_vulnerability != latest_successful_pipeline_for_default_branch
+    project = Project
+      .includes(ci_pipelines: :builds)
+      .find(self.project_id)
+
+    # We can't just use project.latest_successful_pipeline_for_default_branch
+    # because there's no guarantee that it actually ran the security jobs
+    # See https://gitlab.com/gitlab-org/gitlab/-/issues/218012
+    latest_successful_pipeline = project
+      .ci_pipelines
+      .for_ref(project.default_branch)
+      .where(status: :success)
+      .order(created_at: :desc)
+      .find { |pipeline| pipeline.builds.any? { |build| build.name == self.report_type } }
+
+    # Technically this shouldn't ever happen.
+    # If an vulnerability was discovered, then we must have ran a scan of the
+    # appropriate type at least once.
+    return false unless latest_successful_pipeline
+
+    finding.pipelines.exclude?(latest_successful_pipeline)
  end

  def user_notes_count

--- a/ee/spec/models/vulnerability_spec.rb
+++ b/ee/spec/models/vulnerability_spec.rb
@@ -267,7 +267,7 @@ RSpec.describe Vulnerability do

  describe '#resolved_on_default_branch' do
    let_it_be(:project) { create(:project, :repository, :with_vulnerability) }
-    let_it_be(:pipeline_with_vulnerability) { create(:ci_pipeline, :success, project: project, sha: project.commit.id) }
+    let_it_be(:pipeline_with_vulnerability) { create(:ci_pipeline, :success, :with_sast_build, project: project, sha: project.commit.id) }
    let_it_be(:vulnerability) { project.vulnerabilities.first }
    let_it_be(:finding1) { create(:vulnerabilities_occurrence, vulnerability: vulnerability, pipelines: [pipeline_with_vulnerability]) }
    let_it_be(:finding2) { create(:vulnerabilities_occurrence, vulnerability: vulnerability, pipelines: [pipeline_with_vulnerability]) }
@@ -279,11 +279,7 @@ RSpec.describe Vulnerability do
    end

    context 'Vulnerability::Finding is not present on the pipeline for default branch' do
-      before do
-        project.instance_variable_set(:@latest_successful_pipeline_for_default_branch, pipeline_without_vulnerability)
-      end
-
-      let_it_be(:pipeline_without_vulnerability) { create(:ci_pipeline, :success, project: project, sha: project.commit.id) }
+      let_it_be(:pipeline_without_vulnerability) { create(:ci_pipeline, :success, :with_sast_build, project: project, sha: project.commit.id) }

      it { is_expected.to eq(true) }
    end

--- a/spec/factories/ci/builds.rb
+++ b/spec/factories/ci/builds.rb
@@ -420,6 +420,8 @@ FactoryBot.define do
    end

    trait :sast do
+      name { "sast" }
+
      options do
        {
            artifacts: { reports: { sast: 'gl-sast-report.json' } }

--- a/spec/factories/ci/pipelines.rb
+++ b/spec/factories/ci/pipelines.rb
@@ -130,6 +130,14 @@ FactoryBot.define do
        end
      end

+      trait :with_sast_build do
+        status { :success }
+
+        after(:build) do |pipeline, evaluator|
+          pipeline.builds << build(:ci_build, :sast, pipeline: pipeline, project: pipeline.project)
+        end
+      end
+
      trait :with_exposed_artifacts do
        status { :success }