Direct Transfer - Import Vulnerability identifiers

What does this MR do and why?

This is a follow-up of Direct Transfer - Handle Vulnerabilities (!171684 - merged) • Meir Benayoun • 17.7

The current MR is importing the vulnerability identifiers as well.

This code change adds the identifiers relation to the vulnerability_finding relation in the RelationFactory module. This means that when importing or exporting a project, the identifiers relation will also be included.

In addition, it's fixing the computation of the vulnerability uuid by using the correct primary_identifier_fingerprint.

References

• Missing identifiers when importing vulnerabilit... (#510763 - closed)
• Direct Transfer - Handle Vulnerabilities (!171684 - merged) • Meir Benayoun • 17.7
• Direct Transfer - ERROR: duplicate key index_vu... (#509904) • Ron Vider • Backlog

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Those 2 screenshots are of the original project (the one that is exported and then imported):

Before	After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

1. Export a project containing vulnerabilities
2. Import the project
3. Look at the Vulnerability Report of the imported project

Related to #510763 (closed)

added devopsfoundations groupimport and integrate sectioncore platform typebug labels

assigned to @mbenayoun

added pipelinetier-1 label

requested review from @georgekoltsov

added backend label

	1 Warning
	This merge request does not refer to an existing milestone.

	1 Message
	CHANGELOG missing: If this merge request needs a changelog entry, add the Changelog trailer to the commit message you want to add to the changelog. If this merge request doesn't need a CHANGELOG entry, feel free to ignore this message.

Reviewer roulette

Category	Reviewer	Maintainer
backend	@micthomas (UTC-5, 7 hours behind author)	@mcelicalderonG (UTC-5, 7 hours behind author)

Please refer to documentation page for guidance on how you can benefit from the Reviewer Roulette, or use the GitLab Review Workload Dashboard to find other available reviewers.

If needed, you can retry the danger-review job that generated this comment.

Generated by Danger

added 1 commit

• e44b2103 - Import primary_identifier_fingerprint and use it for uuid generation

Compare with previous version

mentioned in issue #509904

changed the description

requested review from @carlad-gl

approved this merge request

Nice work @mbenayoun. LGTM

@jnutt I believe George is on PTO at the moment. Are you available to do a backend maintainer review for this small MR?

Thank you @carlad-gl

I've noticed a few failures in the latest CI pipeline.
My last commit should fix them.

@mbenayoun Could you please point me in the right direction for testing this? I wonder if I'm missing something for the set-up.

My GDK has vulnerabilities seeded (note that this is for the source project, not after import) but I'm not able to see them on that project's security dashboard.

Project.find(1).vulnerabilities.count
# 30

I'm able to test this by adding my own vulnerabilities, so this isn't a blocker.

Great work, @mbenayoun! I've QA'd this using both Direct Transfer and file-based import/export, and everything seems good.

I've left one question around the export UI text, but it's not directly blocking this change, so I'll go ahead and merge.

@jnutt Thanks for your review and your local tests.

I'm not sure how you got vulnerabilities populated in your project.
The best way is to run a SAST analyzer locally.

Put the following in your .gitlab-ci.yml:

include:
  - template: Jobs/SAST.gitlab-ci.yml

semgrep-sast:
  variables:
    SAST_ANALYZER_IMAGE_TAG: 5.11.0

requested review from @jnutt

added pipeline:mr-approved label

added pipelinetier-3 pipeline:run-e2e-omnibus-once labels and removed pipelinetier-1 label

Before you set this MR to auto-merge

This merge request will progress on pipeline tiers until it reaches the last tier: pipelinetier-3. We will trigger a new pipeline for each transition to a higher tier.

Before you set this MR to auto-merge, please check the following:

• You are the last maintainer of this merge request
• The latest pipeline for this merge request is pipelinetier-3 (You can find which tier it is in the pipeline name)
• This pipeline is recent enough (created in the last 8 hours)

If all the criteria above apply, please set auto-merge for this merge request.

See pipeline tiers and merging a merge request for more details.

E2E Test Result Summary

allure-report-publisher generated test report!

e2e-test-on-gdk: test report for e5de97ca

expand test summary

+-------------------------------------------------------------+
|                       suites summary                        |
+--------+--------+--------+---------+-------+-------+--------+
|        | passed | failed | skipped | flaky | total | result |
+--------+--------+--------+---------+-------+-------+--------+
| Create | 3      | 0      | 1       | 0     | 4     | ✅     |
+--------+--------+--------+---------+-------+-------+--------+
| Total  | 3      | 0      | 1       | 0     | 4     | ✅     |
+--------+--------+--------+---------+-------+-------+--------+

e2e-test-on-cng: test report for e5de97ca

expand test summary

+------------------------------------------------------------------+
|                          suites summary                          |
+-------------+--------+--------+---------+-------+-------+--------+
|             | passed | failed | skipped | flaky | total | result |
+-------------+--------+--------+---------+-------+-------+--------+
| Create      | 140    | 0      | 19      | 1     | 159   | ✅     |
| Manage      | 1      | 0      | 9       | 0     | 10    | ✅     |
| Verify      | 51     | 0      | 15      | 0     | 66    | ✅     |
| Govern      | 84     | 0      | 10      | 0     | 94    | ✅     |
| Monitor     | 8      | 0      | 12      | 0     | 20    | ✅     |
| Data Stores | 33     | 0      | 10      | 0     | 43    | ✅     |
| Plan        | 86     | 0      | 8       | 0     | 94    | ✅     |
| Package     | 24     | 0      | 14      | 0     | 38    | ✅     |
| Secure      | 2      | 0      | 5       | 0     | 7     | ✅     |
| Release     | 5      | 0      | 1       | 0     | 6     | ✅     |
| Configure   | 0      | 0      | 3       | 0     | 3     | ➖     |
| Analytics   | 2      | 0      | 0       | 0     | 2     | ✅     |
| Fulfillment | 2      | 0      | 7       | 0     | 9     | ✅     |
| Ai-powered  | 0      | 0      | 2       | 0     | 2     | ➖     |
| Growth      | 0      | 0      | 2       | 0     | 2     | ➖     |
| ModelOps    | 0      | 0      | 1       | 0     | 1     | ➖     |
+-------------+--------+--------+---------+-------+-------+--------+
| Total       | 438    | 0      | 118     | 1     | 556   | ✅     |
+-------------+--------+--------+---------+-------+-------+--------+

added 2 commits

• 375d3940 - Update all models
• a3001219 - Update included_attributes for identifiers

Compare with previous version

reset approvals from @carlad-gl by pushing to the branch