Commit e1357145 authored by Heinrich Lee Yu's avatar Heinrich Lee Yu

Merge branch 'bug/vulnerability-occurence-blob-path' into 'master'

Expose commit sha on Vulnerabilities::Occurrence

See merge request gitlab-org/gitlab!19668
parents d112cc07 f6a74737
......@@ -87,6 +87,7 @@ module Security
occurrence.vulnerability = vulnerabilities[occurrence.project_fingerprint]
occurrence.project = pipeline.project
occurrence.sha = pipeline.sha
occurrence.build_scanner(report_occurrence.scanner.to_hash)
occurrence.identifiers = report_occurrence.identifiers.map do |identifier|
Vulnerabilities::Identifier.new(identifier.to_hash)
......
......@@ -25,6 +25,8 @@ module Vulnerabilities
has_many :occurrence_pipelines, class_name: 'Vulnerabilities::OccurrencePipeline'
has_many :pipelines, through: :occurrence_pipelines, class_name: 'Ci::Pipeline'
attr_writer :sha
CONFIDENCE_LEVELS = {
undefined: 0,
ignore: 1,
......@@ -127,6 +129,11 @@ module Vulnerabilities
'vulnerabilities.id, vulnerabilities.state') # fetching only required attributes
end
# sha can be sourced from a joined pipeline or set from the report
def sha
self[:sha] || @sha
end
def state
return 'dismissed' if dismissal_feedback.present?
......
......@@ -5,7 +5,7 @@ module Vulnerabilities
presents :occurrence
def blob_path
return '' unless respond_to?(:sha)
return '' unless sha.present?
return '' unless location.present? && location['file'].present?
add_line_numbers(location['start_line'], location['end_line'])
......
---
title: Expose commit sha on Vulnerabilities::Occurrence
merge_request: 19668
author:
type: fixed
......@@ -22,6 +22,7 @@ describe Security::PipelineVulnerabilitiesFinder do
describe '#execute' do
set(:project) { create(:project, :repository) }
set(:pipeline) { create(:ci_pipeline, :success, project: project) }
let(:params) { {} }
set(:build_cs) { create(:ci_build, :success, name: 'cs_job', pipeline: pipeline, project: project) }
set(:build_dast) { create(:ci_build, :success, name: 'dast_job', pipeline: pipeline, project: project) }
......@@ -52,6 +53,10 @@ describe Security::PipelineVulnerabilitiesFinder do
subject { described_class.new(pipeline: pipeline, params: params).execute }
it 'assigns commit sha to findings' do
expect(subject.map(&:sha).uniq).to eq [pipeline.sha]
end
context 'by order' do
let(:params) { { report_type: %w[sast] } }
let!(:high_high) { build(:vulnerabilities_occurrence, confidence: :high, severity: :high) }
......
......@@ -15,10 +15,11 @@ describe Vulnerabilities::OccurrencePresenter do
context 'with a sha' do
before do
allow_any_instance_of(Vulnerabilities::Occurrence).to receive(:sha)
.and_return('abc')
occurrence.sha = 'abc'
end
it { is_expected.to include(occurrence.sha) }
context 'without start_line or end_line' do
before do
allow(presenter).to receive(:location)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment