Set slice limit when triggering events related to

the creation of vulnerability occurrences. EE: true

Set slice limit when triggering events related to
c33c2267 · Zamir Martins · GitLab · 153e41c8 · c33c2267 · c33c2267
--- a/ee/app/services/security/vulnerability_scanning/create_vulnerability_service.rb
+++ b/ee/app/services/security/vulnerability_scanning/create_vulnerability_service.rb
@@ -5,6 +5,8 @@ module VulnerabilityScanning
    class CreateVulnerabilityService
      include Gitlab::Utils::StrongMemoize
+      FINDINGS_LIMIT = 50
      PRE_CREATE_TASKS = %i[
        reject_findings_maps_exceeding_quota
      ].freeze
@@ -189,16 +191,19 @@ def projects
      strong_memoize_attr :projects
      def trigger_vulnerabilities_created_event
-        return unless finding_data.present?
+        return unless findings_for_vulnerabilities.present?
-        ::Gitlab::EventStore.publish(vulnerabilities_created_event)
+        findings_for_vulnerabilities.each_slice(FINDINGS_LIMIT) do |findings|
+          event = vulnerabilities_created_event(findings)
+          ::Gitlab::EventStore.publish(event)
+        end
      end
-      def vulnerabilities_created_event
+      def vulnerabilities_created_event(findings)
-        Sbom::VulnerabilitiesCreatedEvent.new(data: { findings: finding_data }.with_indifferent_access)
+        Sbom::VulnerabilitiesCreatedEvent.new(data: { findings: findings }.with_indifferent_access)
      end
-      def finding_data
+      def findings_for_vulnerabilities
        finding_maps.filter_map do |finding_map|
          next unless include_finding_map?(finding_map)
@@ -212,7 +217,7 @@ def finding_data
          }
        end
      end
-      strong_memoize_attr :finding_data
+      strong_memoize_attr :findings_for_vulnerabilities
      def include_finding_map?(finding_map)
        finding_map.report_type == 'dependency_scanning' &&

--- a/ee/spec/services/security/vulnerability_scanning/create_vulnerability_service_spec.rb
+++ b/ee/spec/services/security/vulnerability_scanning/create_vulnerability_service_spec.rb
@@ -112,6 +112,33 @@
        })
      end
+      context 'with a number of findings higher than `FINDINGS_LIMIT`' do
+        let(:security_finding_second) do
+          create(:ci_reports_security_finding, location: locations, report_type: report_type)
+        end
+        let(:finding_map_second) do
+          create(:vs_finding_map, pipeline: pipeline, report_finding: security_finding_second, purl_type: purl_type)
+        end
+        let(:finding_maps) { [finding_map, finding_map_second] }
+        before do
+          stub_const("#{described_class}::FINDINGS_LIMIT", 1)
+        end
+        it 'publishes a new event with findings based on `FINDINGS_LIMIT`' do
+          expect_next_instance_of(described_class) do |service|
+            expect(service).to receive(:vulnerabilities_created_event)
+              .with([hash_including(uuid: security_finding.uuid)]).and_call_original
+            expect(service).to receive(:vulnerabilities_created_event)
+              .with([hash_including(uuid: security_finding_second.uuid)]).and_call_original
+          end
+          service_response
+        end
+      end
      context 'with feature flag disabled' do
        before do
          stub_feature_flags(update_sbom_occurrences_vulnerabilities_on_cvs: false)