Skip to content

Find or initialize Scanners using project_id

What does this MR do and why?

Add project_id as argument to find_or_initialize_by so the scanners are created in the correct project if they don't exist within that project already.

This prevents the following scenario:

  1. No scanner called gitlab-manual-vulnerability-report exists in any project.
  2. Project A creates a vulnerability manually.
  3. gitlab-manual-vulnerability-report scanner gets created within project A.
  4. Project B creates a vulnerability manually.
  5. Project B users don't see any scanner attached to the finding because it's actually attached to the scanner created in step 3 and they don't have access to that scanner.

Fixing this 100% will require a data migration which will be performed later on.

Related to #355802 (closed)

How to set up and validate locally

  1. Create a new project (assuming project-a)
  2. Go to http://127.0.0.1:3000/root/project-a/-/security/vulnerabilities/new
  3. Create a new Vulnerability
  4. Create another project (assuming project-b)
  5. Go to http://127.0.0.1:3000/root/project-b/-/security/vulnerabilities/new
  6. Create a new Vulnerability
  7. Go to http://127.0.0.1:3000/-/graphql-explorer
  8. Issue the following query
query {
  project(fullPath:"root/project-a") {
    vulnerabilityScanners {
      nodes {
        id
        name
        reportType
      }
    }
    vulnerabilities {
      nodes {
        id
        scanner {
          externalId
          id
          name
          reportType
          vendor
        }
      }
    }
  }
}
  1. Repeat for project-b
  2. Make sure both queries have a non-empty vulnerabilityScanners and vulnerabilities.scanner.id DO NOT match

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports

Loading