Vulnerability Ingestion: Use SecurityFinding UUID for finding creation in VulnerabilityFindingsHelper
In !124469 (comment 1447546650), @minac notes that there is a bug in the VulnerabilityFindingHelpers such that when it instantiates the attributes of new Vulnerability::Finding records, it uses the report_finding.uuid which is equal to thesecurity_finding.overridden_uuid, leading to a possible risk of a failed save due to the the report finding UUID it currently uses clashing with an existing UUID in the database at save.
It should use the security_finding.uuid value instead which has already been resolved against the database in the event of any duplication.
Implementation Plan
-
backend Modify app/models/concerns/vulnerability_finding_helpers.rbas follows:
diff --git a/app/models/concerns/vulnerability_finding_helpers.rb b/app/models/concerns/vulnerability_finding_helpers.rb
index a5b699979008..e8a50497b203 100644
--- a/app/models/concerns/vulnerability_finding_helpers.rb
+++ b/app/models/concerns/vulnerability_finding_helpers.rb
@@ -59,6 +59,7 @@ def build_vulnerability_finding(security_finding)
evidence = Vulnerabilities::Finding::Evidence.new(data: report_finding.evidence.data) if report_finding.evidence
Vulnerabilities::Finding.new(finding_data).tap do |finding|
+ finding.uuid = security_finding.uuid
finding.location_fingerprint = report_finding.location.fingerprint
finding.vulnerability = vulnerability_for(security_finding.uuid)
finding.project = projectEdited by Gregory Havenga