From bee3e9a30c93636ee70561ab5b5455241bde014c Mon Sep 17 00:00:00 2001
From: Mehmet Emin INAC <minac@gitlab.com>
Date: Fri, 23 Aug 2024 18:14:52 +0200
Subject: [PATCH] Fix CVSS values in vulnerability export

---
 ee/app/models/ee/vulnerability.rb                      |  4 ++++
 .../vulnerability_exports/exporters/csv_service.rb     |  2 +-
 ee/spec/models/ee/vulnerability_spec.rb                | 10 ++++++++++
 .../exporters/csv_service_spec.rb                      |  2 +-
 4 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/ee/app/models/ee/vulnerability.rb b/ee/app/models/ee/vulnerability.rb
index 2b1436c08a8d6..57465c98b5533 100644
--- a/ee/app/models/ee/vulnerability.rb
+++ b/ee/app/models/ee/vulnerability.rb
@@ -192,6 +192,10 @@ def with_vulnerability_links
 
       delegate :dismissal_reason, to: :vulnerability_read, prefix: true, allow_nil: true
 
+      def cvss_vectors_with_vendor
+        cvss.map { |cvss| "#{cvss['vendor']}=#{cvss['vector']}" }
+      end
+
       def full_path
         "#{project.full_path}/#{id}"
       end
diff --git a/ee/app/services/vulnerability_exports/exporters/csv_service.rb b/ee/app/services/vulnerability_exports/exporters/csv_service.rb
index f522f5323fcd1..95b4a1c86277e 100644
--- a/ee/app/services/vulnerability_exports/exporters/csv_service.rb
+++ b/ee/app/services/vulnerability_exports/exporters/csv_service.rb
@@ -9,7 +9,7 @@ class CsvService
       # to be removed with https://gitlab.com/gitlab-org/gitlab/-/issues/412114
       NIL_FORMATTER = ->(_) { nil }
 
-      CVSS_FORMATTER = ->(v) { v&.cvss&.map { |e| e.values.join('=') }&.to_csv(col_sep: CSV_DELIMITER, row_sep: '') }
+      CVSS_FORMATTER = ->(v) { v&.cvss_vectors_with_vendor&.to_csv(col_sep: CSV_DELIMITER, row_sep: '') }
 
       attr_reader :vulnerabilities
 
diff --git a/ee/spec/models/ee/vulnerability_spec.rb b/ee/spec/models/ee/vulnerability_spec.rb
index e23e220997f10..681b25af5d0e0 100644
--- a/ee/spec/models/ee/vulnerability_spec.rb
+++ b/ee/spec/models/ee/vulnerability_spec.rb
@@ -562,6 +562,16 @@
     end
   end
 
+  describe '#cvss_vectors_with_vendor' do
+    subject { vulnerability.cvss_vectors_with_vendor }
+
+    before do
+      vulnerability.cvss = [{ vector: 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N', vendor: 'GitLab' }]
+    end
+
+    it { is_expected.to match_array(['GitLab=CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N']) }
+  end
+
   describe '#full_path' do
     let(:project) { build(:project) }
     let(:vulnerability) { build(:vulnerability, id: 1, project: project) }
diff --git a/ee/spec/services/vulnerability_exports/exporters/csv_service_spec.rb b/ee/spec/services/vulnerability_exports/exporters/csv_service_spec.rb
index c9621143806ff..41b004f1050b3 100644
--- a/ee/spec/services/vulnerability_exports/exporters/csv_service_spec.rb
+++ b/ee/spec/services/vulnerability_exports/exporters/csv_service_spec.rb
@@ -47,7 +47,7 @@
       end
 
       context 'when a project belongs to a group' do
-        let_it_be(:vulnerability) { create(:vulnerability, :with_findings, project: project) }
+        let_it_be_with_refind(:vulnerability) { create(:vulnerability, :with_findings, project: project) }
         let_it_be(:note) { create(:note, project: project, noteable: vulnerability, note: "a\nb") }
 
         it 'includes proper values for each column type', :aggregate_failures do
-- 
GitLab