Draft: feat: security archival group compatibility

Duo Developerrequested to merge
duo/feature/578803-security-archival-group-compatibility into master

Relates to issue #578803

Changes

This MR implements compatibility between security-related features and group archival functionality. The implementation ensures that when a group is archived, all security data (vulnerabilities, SBOM occurrences, security statistics) from projects within that group are properly filtered and hidden.

Model Scope Updates

  • Vulnerabilities::Read.unarchived: Updated to check both denormalized archived column AND group archival status using ancestor-aware implementation
  • Vulnerabilities::Statistic.unarchived: Enhanced with ancestor-aware implementation to respect group hierarchy
  • Sbom::Occurrence.unarchived: Modified to join with projects and check group archival status
  • Security::AnalyzerProjectStatus.unarchived: Updated to use ancestor-aware archival checks

Model Method Updates

  • Security::ProjectStatistics: Updated sum_vulnerability_count_for_group to use the enhanced unarchived scope
  • EE::Group: Added documentation to vulnerabilities, vulnerability_scanners, and sbom_occurrences methods noting ancestor-aware behavior
  • Vulnerabilities::Identifier: Updated for_group with ancestor-aware documentation
  • Vulnerabilities::ProjectsGrade: Modified unarchived_projects_for to use self_and_ancestors_non_archived and documented aggregated_vulnerability_stats_for

Finder Updates

  • Security::VulnerabilityReadsFinder: Enhanced documentation to clarify ancestor-aware filtering behavior
  • Security::SecurityPolicyProjectsFinder: Updated base_relation to use self_and_ancestors_non_archived

Service Updates

  • Inventory Filter Services: Updated VulnerabilityStatisticsUpdateService and AnalyzerStatusUpdateService to use project.self_or_ancestors_archived?
  • Vulnerability Services: Modified Vulnerabilities::Statistics::UpdateService and Vulnerabilities::Reads::UpsertService to check ancestor archival status
  • Ingestion Tasks: Updated all ingestion tasks (IngestVulnerabilityReads, IngestVulnerabilityStatistics, IngestOccurrences) to use ancestor-aware archival checks
  • Schedule Services: Enhanced ScheduleMarkDroppedAsResolvedService to use self_and_ancestors_non_archived

Implementation Pattern

All changes follow a consistent, backward-compatible pattern:

  1. Scopes: Replace where(archived: false) with ancestor-aware implementation using Group.self_or_ancestors_archived_setting_subquery
  2. Service Methods: Replace project.archived with project.self_or_ancestors_archived?
  3. Project Scopes: Replace Project.non_archived with Project.self_and_ancestors_non_archived

Key Benefits

  • Backward Compatible: Denormalized archived columns are still updated, providing a safety net
  • Ancestor-Aware: Queries now properly check both project-level AND group-level archival status across the entire hierarchy
  • Performance: Uses existing indexes and subqueries efficiently
  • Consistent: All security features now handle group archival uniformly

Status

This MR completes tasks 1-33 of the implementation plan. The remaining tasks (34-47) follow the same established pattern and include updates to archival/restoration tasks, background migrations, and additional workers.

Edited by Matt Andrews

Merge request reports