Update ScanResultsPolicy Vulnerabilities Count Service to account for ref contexts

Harrison Petersrequested to merge
update-vulnerabilities-count-service-ref-context into master

Disclosure: This MR was initially generated using Duo

Summary

Updates the VulnerabilitiesCountService to filter vulnerabilities by their tracked context (ref/branch) to properly account for vulnerabilities across multiple branches.

Changes

The service now accepts an optional ref_context parameter that filters vulnerability reads by their associated security_project_tracked_context_id. This ensures that vulnerability count increases are tracked correctly for each branch context.

Modified Files

  • ee/app/services/security/scan_result_policies/vulnerabilities_count_service.rb
    • Added ref_context parameter to initialize method
    • Updated vulnerabilities_reads_by_uuid_and_state to filter by tracked context when provided

Implementation Details 

def initialize(project:, uuids:, states:, allowed_count:, vulnerability_age: nil, ref_context: nil)
  @project = project
  @uuids = uuids
  @states = states
  @allowed_count = allowed_count
  @vulnerability_age = vulnerability_age
  @ref_context = ref_context
end

attr_reader :project, :uuids, :states, :allowed_count, :vulnerability_age, :ref_context

def vulnerabilities_reads_by_uuid_and_state(uuids_batch)
  scope = project.vulnerability_reads.by_uuid(uuids_batch).with_states(states)
  scope = scope.where(security_project_tracked_context_id: ref_context.id) if ref_context.present?
  scope
end

Related Issues

Closes #574397

Testing

This change maintains backward compatibility by making the ref_context parameter optional. When not provided, the service behaves as before, counting vulnerabilities across all contexts.

Edited by Harrison Peters

Merge request reports