diff --git a/ee/app/models/sbom/occurrence.rb b/ee/app/models/sbom/occurrence.rb
index 073f3ddb61f509ed448a9500f4056d5ebb0299da..30230daa086fac25d49eb930ce6f569a6436e720 100644
--- a/ee/app/models/sbom/occurrence.rb
+++ b/ee/app/models/sbom/occurrence.rb
@@ -126,9 +126,9 @@ class Occurrence < Gitlab::Database::SecApplicationRecord
end
scope :filter_by_search_with_component_and_group, ->(search, component_id, group) do
- relation = includes(project: :namespace)
- .where(component_version_id: component_id, project: group.all_projects)
- .allow_cross_joins_across_databases(url: 'https://gitlab.com/gitlab-org/gitlab/-/issues/472113')
+ relation = for_namespace_and_descendants(group)
+ .preload(project: :namespace)
+ .where(component_version_id: component_id)
if search.present?
relation.where('input_file_path ILIKE ?', "%#{sanitize_sql_like(search.to_s)}%") # rubocop:disable GitlabSecurity/SqlInjection -- This cop is a false positive as we are using parameterization via ?
diff --git a/ee/spec/models/sbom/occurrence_spec.rb b/ee/spec/models/sbom/occurrence_spec.rb
index 3a7052950f75638ad2f32b48efd470ec23531a7e..26323fc4e21d108e98d2551619acc2c2c04f5b74 100644
--- a/ee/spec/models/sbom/occurrence_spec.rb
+++ b/ee/spec/models/sbom/occurrence_spec.rb
@@ -455,6 +455,19 @@
end
end
+ describe '.for_namespace_and_descendants' do
+ let_it_be(:group) { create(:group) }
+ let_it_be(:project1) { create(:project, namespace: group) }
+ let_it_be(:project2) { create(:project, namespace: group) }
+ let_it_be(:occurrence_npm1) { create(:sbom_occurrence, project: project1) }
+ let_it_be(:occurrence_npm2) { create(:sbom_occurrence, project: project2) }
+
+ it 'returns records' do
+ result = described_class.for_namespace_and_descendants(group)
+ expect(result).to match_array([occurrence_npm1, occurrence_npm2])
+ end
+ end
+
describe '.filter_by_search_with_component_and_group' do
let_it_be(:group) { create(:group) }
let_it_be(:project) { create(:project, namespace: group) }