Skip to content

Use overridden_uuid to perform Vulnerabilities::Finding lookup

Michał Zając requested to merge 416087-confidential-issue into master

What does this MR do and why?

Use overridden_uuid to perform Vulnerabilities::Finding lookup

Related to #416087 (closed)

How to set up and validate locally

On master branch

  1. Apply the following patch
Test case 
diff --git a/ee/spec/lib/ee/gitlab/background_migration/migrate_vulnerabilities_feedback_to_vulnerabilities_state_transition_spec.rb b/ee/spec/lib/ee/gitlab/background_migration/migrate_vulnerabilities_feedback_to_vulnerabilities_state_transition_spec.rb
index c2a1afaea65e..a1d0c71b5c7d 100644
--- a/ee/spec/lib/ee/gitlab/background_migration/migrate_vulnerabilities_feedback_to_vulnerabilities_state_transition_spec.rb
+++ b/ee/spec/lib/ee/gitlab/background_migration/migrate_vulnerabilities_feedback_to_vulnerabilities_state_transition_spec.rb
@@ -90,6 +90,38 @@
 
     subject { described_class.new(**migration_attrs).perform }
 
+    context "when there's a Security::Finding with an overriden UUID" do
+      before do
+        sast_category = 0
+        sast_scan_type = 1
+
+        nonexistent_project_fingerprint = SecureRandom.hex(20)
+        known_uuid = "7099388a-d37c-5940-9a44-4e3645f2fd23"
+        # This UUID would be calculated by our pipeline ingestion process
+        overridden_uuid = "429005aa-8b32-58a9-b2ea-bc8ae80b0963"
+        ci_pipeline = create_ci_pipeline(project_id: project.id)
+        ci_build = create_ci_build(
+          project_id: project.id,
+          status: "success",
+          commit_id: ci_pipeline.id
+        )
+        # rubocop:disable RSpec/FactoriesInMigrationSpecs
+        create(:ee_ci_job_artifact, :sast_with_signatures_and_vulnerability_flags, job_id: ci_build.id)
+        # rubocop:enable RSpec/FactoriesInMigrationSpecs
+        security_scan = create_security_scan(ci_build, sast_scan_type, project_id: project.id)
+        @security_finding = create_security_finding(security_scan, scanner, uuid: known_uuid, overridden_uuid: overridden_uuid)
+        @vulnerability_feedback = create_feedback(
+          project, user, finding.report_type, feedback_types[:dismissal], finding.project_fingerprint, known_uuid,
+          comment: "this feedback uses the non-overridden UUID"
+        )
+        finding.update(uuid: overridden_uuid)
+      end
+
+      it "fails with ActiveRecord::RecordNotUnique" do
+        expect { subject }.to raise_error(ActiveRecord::RecordNotUnique)
+      end
+    end
+
     context "when a Finding has no Vulnerability" do
       before do
         create_feedback(
  1. Verify it fails

On 416087-confidential-issue branch

  1. There should be a context for this case already
  2. Copy over the "fails with ActiveRecord::RecordNotUnique" test case
  3. It shouldn't fail

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports