From 7e09ea99fdcbf8b3da9af526e4155b1b0aefb498 Mon Sep 17 00:00:00 2001
From: Brian Williams <bwilliams@gitlab.com>
Date: Thu, 31 Oct 2024 22:25:35 +0000
Subject: [PATCH] Only set has_vulnerabilities records are ingested

Currently, `IngestReportsService` sets `has_vulnerabilities` 100% of the
time. This does not account for the fact that all security reports could
be empty. This change skips the update if zero vulnerabilities were
ingested.

Changelog: fixed
EE: true
---
 .../security/ingestion/ingest_reports_service.rb         | 6 +++++-
 .../security/ingestion/ingest_reports_service_spec.rb    | 9 +++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/ee/app/services/security/ingestion/ingest_reports_service.rb b/ee/app/services/security/ingestion/ingest_reports_service.rb
index ef01b08cdf10e..b134740f3cc8c 100644
--- a/ee/app/services/security/ingestion/ingest_reports_service.rb
+++ b/ee/app/services/security/ingestion/ingest_reports_service.rb
@@ -56,7 +56,11 @@ def ingest(security_scan)
       end
 
       def mark_project_as_vulnerable!
-        project.mark_as_vulnerable!
+        project.mark_as_vulnerable! if ingested_vulnerabilities?
+      end
+
+      def ingested_vulnerabilities?
+        ingested_ids_by_scanner.values.any?(&:present?)
       end
 
       def set_latest_pipeline!
diff --git a/ee/spec/services/security/ingestion/ingest_reports_service_spec.rb b/ee/spec/services/security/ingestion/ingest_reports_service_spec.rb
index 891e7f8070988..3c995927bd73b 100644
--- a/ee/spec/services/security/ingestion/ingest_reports_service_spec.rb
+++ b/ee/spec/services/security/ingestion/ingest_reports_service_spec.rb
@@ -43,6 +43,15 @@
         .and change { project.reload.vulnerability_statistic&.latest_pipeline_id }.to(pipeline.id)
     end
 
+    context 'when ingested reports are empty' do
+      let(:ids_1) { [] }
+      let(:ids_2) { [] }
+
+      it 'does not set has_vulnerabilities' do
+        expect { ingest_reports }.not_to change { project.reload.project_setting.has_vulnerabilities }.from(false)
+      end
+    end
+
     it 'calls ScheduleMarkDroppedAsResolvedService with primary identifier IDs' do
       ingest_reports
 
-- 
GitLab