Merge branch 'mokhax/411821/spike-child-pipelines' into 'master'

Resolve vulnerabilities with scanner collision in child pipelines See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/124915 Merged-by: Mayra Cabrera <mcabrera@gitlab.com> Approved-by: drew stachon <730684-drew@users.noreply.gitlab.com> Approved-by: Gregory Havenga <11164960-ghavenga@users.noreply.gitlab.com> Approved-by: Kassio Borges <kborges@gitlab.com> Approved-by: Zamir Martins <zfilho@gitlab.com> Approved-by: Mayra Cabrera <mcabrera@gitlab.com> Reviewed-by: Mayra Cabrera <mcabrera@gitlab.com> Reviewed-by: Kassio Borges <kborges@gitlab.com> Reviewed-by: Zamir Martins <zfilho@gitlab.com> Reviewed-by: mo khan <mo@mokhan.ca> Co-authored-by: mo khan <mo@mokhan.ca>

Merge branch 'mokhax/411821/spike-child-pipelines' into 'master'
a2b87e91 · Mayra Cabrera · 28ea8528 · f5fd4d95 · a2b87e91 · a2b87e91
--- a/ee/app/models/ee/ci/pipeline.rb
+++ b/ee/app/models/ee/ci/pipeline.rb
@@ -246,6 +246,10 @@ def security_scan_types
        security_scans.pluck(:scan_type)
      end

+      def self_and_descendant_security_scans
+        Security::Scan.where(pipeline_id: self_and_project_descendants.pluck(:id))
+      end
+
      private

      def has_security_reports?

--- a/ee/app/services/security/ingestion/ingest_reports_service.rb
+++ b/ee/app/services/security/ingestion/ingest_reports_service.rb
@@ -39,7 +39,12 @@ def collect_ingested_ids_for(scan, ingested_ids)
      end

      def latest_security_scans
-        @latest_security_scans ||= pipeline.security_scans.without_errors.latest
+        @latest_security_scans ||=
+          if Feature.enabled?(:descendant_security_scans, project)
+            pipeline.root_ancestor.self_and_descendant_security_scans.without_errors.latest
+          else
+            pipeline.security_scans.without_errors.latest
+          end
      end

      def ingested_ids_by_scanner

--- a/ee/config/feature_flags/development/descendant_security_scans.yml
+++ b/ee/config/feature_flags/development/descendant_security_scans.yml
+---
+name: descendant_security_scans
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/124915
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/417486
+milestone: '16.2'
+type: development
+group: group::threat insights
+default_enabled: false
--- a/ee/spec/models/ci/pipeline_spec.rb
+++ b/ee/spec/models/ci/pipeline_spec.rb
@@ -942,4 +942,17 @@
      expect(pipeline.security_scan_types).to match_array([scan_type])
    end
  end
+
+  describe ".self_and_descendant_security_scans" do
+    it 'returns the security scan from the parent and each child pipeline' do
+      parent_pipeline = create(:ee_ci_pipeline, :success, project: project)
+      pipeline_1 = create(:ee_ci_pipeline, :success, child_of: parent_pipeline, project: project)
+      pipeline_2 = create(:ee_ci_pipeline, :success, child_of: parent_pipeline, project: project)
+      parent_scan = create(:security_scan, pipeline: parent_pipeline)
+      scan_1 = create(:security_scan, pipeline: pipeline_1)
+      scan_2 = create(:security_scan, pipeline: pipeline_2)
+
+      expect(parent_pipeline.self_and_descendant_security_scans).to match_array([parent_scan, scan_1, scan_2])
+    end
+  end
 end
--- a/ee/spec/services/security/ingestion/ingest_reports_service_spec.rb
+++ b/ee/spec/services/security/ingestion/ingest_reports_service_spec.rb
@@ -56,6 +56,39 @@
      ingest_reports
    end

+    context 'when the same scanner is used into separate child pipelines' do
+      let_it_be(:parent_pipeline) { create(:ee_ci_pipeline, :success, project: project) }
+      let_it_be(:child_pipeline_1) { create(:ee_ci_pipeline, :success, child_of: parent_pipeline, project: project) }
+      let_it_be(:child_pipeline_2) { create(:ee_ci_pipeline, :success, child_of: parent_pipeline, project: project) }
+      let_it_be(:parent_scan) { create(:security_scan, pipeline: parent_pipeline) }
+      let_it_be(:scan_1) { create(:security_scan, pipeline: child_pipeline_1) }
+      let_it_be(:scan_2) { create(:security_scan, pipeline: child_pipeline_2) }
+
+      subject(:service_object) { described_class.new(parent_pipeline) }
+
+      it 'ingests the scan from both child pipelines' do
+        service_object.execute
+
+        expect(Security::Ingestion::IngestReportService).to have_received(:execute).with(parent_scan)
+        expect(Security::Ingestion::IngestReportService).to have_received(:execute).with(scan_1)
+        expect(Security::Ingestion::IngestReportService).to have_received(:execute).with(scan_2)
+      end
+
+      context 'with `descendant_security_scans` disabled' do
+        before do
+          stub_feature_flags(descendant_security_scans: false)
+        end
+
+        it 'ingest the scan from the parent pipeline' do
+          service_object.execute
+
+          expect(Security::Ingestion::IngestReportService).to have_received(:execute).with(parent_scan)
+          expect(Security::Ingestion::IngestReportService).not_to have_received(:execute).with(scan_1)
+          expect(Security::Ingestion::IngestReportService).not_to have_received(:execute).with(scan_2)
+        end
+      end
+    end
+
    describe 'scheduling the AutoFix background job' do
      let(:auto_fix_dependency_scanning?) { false }