Skip to content

Set solution when vulnerabilities are created

Brian Williamsrequested to merge
bwill/set-solution-on-vulnerability-ingestion into master

What does this MR do and why?

This MR updates the vulnerability ingestion process to populate the solution field directly on the vulnerabilities table when vulnerabilities are created or updated. This is part of the effort to move contextual data from the vulnerability_occurrences table to the vulnerabilities table.

Previously, the solution field was only stored on individual vulnerability findings (occurrences), but since all instances of a vulnerability share the same solution, it makes more sense to store this data at the vulnerability level.

Changes made:

  • Updated Security::Ingestion::Tasks::IngestVulnerabilities::Create to set the solution field when creating new vulnerabilities
  • Updated Security::Ingestion::Tasks::IngestVulnerabilities::Update to update the solution field when updating existing vulnerabilities
  • Modified vulnerability creation services to accept and use the solution parameter from security findings
  • Updated related services to pass the solution data through the vulnerability creation pipeline
  • Added comprehensive test coverage for the new functionality

This change ensures that when vulnerabilities are ingested from security scans, the solution information is properly stored at the vulnerability level, preparing for the eventual removal of this data from the vulnerability_occurrences table.

References

Closes #556209

Screenshots or screen recordings

N/A - Backend changes only

How to set up and validate locally

  1. Create a project with security scanning enabled
  2. Run a security scan that produces findings with solution data
  3. Verify that the created/updated vulnerabilities have the solution field populated
  4. Check that the solution data matches what was in the security report

You can validate this with:

Project.find(project_id).vulnerabilities.where('solution IS NOT NULL').pluck(:solution)

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Brian Williams

Merge request reports