Resolve cross join issue and dependencies for ee/app/models/concerns/vulnerability_scopes.rb

Summary

The vulnerability scopes concern has a built in mechanic that forces vulnerabilities scopes to implicitly exclude archived vulnerabilities. This functionality cannot work post sec-decomposition as we cannot implicitly join to projects to resolve the archival condition.

Unfortunately, this change impacts the functionality of GitLab significantly across many files, so fixing this will be non-arbitrary.

Further details

See https://gitlab.com/gitlab-org/gitlab/-/blob/9fafff194b34691524cde2bbdf6b94d8d5202204/ee/app/models/concerns/vulnerability_scopes.rb#L7-14

module VulnerabilityScopes
  extend ActiveSupport::Concern

  included do
    scope :without_archived_projects, -> { joins(:project).merge(::Project.non_archived) }
    scope :for_projects, ->(project_ids, include_archived = false) do
      if include_archived
        where(project_id: project_ids)
      else
        without_archived_projects.where(project_id: project_ids)
      end
    end
  end
end

This concern is used by EE::Vulnerability and Vulnerabilities::Read.

Proposal

Pass or pluck projects IDs instead of projects.

Edited Nov 20, 2024 by Fabien Catteau