Merge branch...

Merge branch '424021-adjust-vulnerabilities-ingestion-pipeline-to-accept-cvss-fields' into 'master' Adjust vulnerabilities ingestion pipeline to accept CVSS field See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/132548 Merged-by: Mehmet Emin INAC <minac@gitlab.com> Approved-by: Dominic Bauer <dbauer@gitlab.com> Approved-by: Gregory Havenga <11164960-ghavenga@users.noreply.gitlab.com> Approved-by: Mehmet Emin INAC <minac@gitlab.com> Approved-by: mo khan <mo@mokhan.ca> Reviewed-by: Thiago Figueiró <tfigueiro@gitlab.com> Reviewed-by: Mehmet Emin INAC <minac@gitlab.com> Reviewed-by: mo khan <mo@mokhan.ca> Co-authored-by: Michał Zając <mzajac@gitlab.com>

Merge branch...
cfead45f · Mehmet Emin INAC · 3d30fc99 · 406c6b6d · cfead45f · cfead45f
--- a/app/models/concerns/vulnerability_finding_helpers.rb
+++ b/app/models/concerns/vulnerability_finding_helpers.rb
@@ -50,6 +50,7 @@ def build_vulnerability_finding(security_finding)
    finding_data = report_finding.to_hash.except(
      :compare_key, :identifiers, :location, :scanner, :links, :signatures, :flags, :evidence
    )
    identifiers = report_finding.identifiers.uniq(&:fingerprint).map do |identifier|
      Vulnerabilities::Identifier.new(identifier.to_hash.merge({ project: project }))
    end

--- a/ee/app/services/security/ingestion/tasks/ingest_vulnerabilities/create.rb
+++ b/ee/app/services/security/ingestion/tasks/ingest_vulnerabilities/create.rb
@@ -36,7 +36,8 @@ def attributes_for_finding(report_finding)
              severity: report_finding.severity,
              confidence: report_finding.confidence,
              report_type: report_finding.report_type,
-              present_on_default_branch: true
+              present_on_default_branch: true,
+              cvss: report_finding.cvss
            }
          end

--- a/ee/app/services/security/ingestion/tasks/ingest_vulnerabilities/update.rb
+++ b/ee/app/services/security/ingestion/tasks/ingest_vulnerabilities/update.rb
@@ -25,7 +25,8 @@ def attributes_for(vulnerability_id, report_finding)
              confidence: report_finding.confidence,
              resolved_on_default_branch: false,
              updated_at: Time.zone.now,
-              present_on_default_branch: true
+              present_on_default_branch: true,
+              cvss: report_finding.cvss
            }
          end
        end

--- a/ee/spec/services/security/ingestion/tasks/ingest_vulnerabilities/create_spec.rb
+++ b/ee/spec/services/security/ingestion/tasks/ingest_vulnerabilities/create_spec.rb
@@ -11,6 +11,18 @@
  subject { described_class.new(pipeline, [finding_map]).execute }
+  context 'vulnerability CVSS vectors' do
+    let(:expected_hash) do
+      { "vector_string" => "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "vendor" => "GitLab" }
+    end
+    it 'set the CVSS vectors' do
+      subject
+      expect(vulnerability.cvss.first).to eq(expected_hash)
+    end
+  end
  context 'vulnerability state' do
    it 'sets the state of the vulnerability to `detected`' do
      subject

--- a/lib/gitlab/ci/reports/security/finding.rb
+++ b/lib/gitlab/ci/reports/security/finding.rb
@@ -30,12 +30,13 @@ class Finding
          attr_reader :project_id
          attr_reader :original_data
          attr_reader :found_by_pipeline
+          attr_reader :cvss
          delegate :file_path, :start_line, :end_line, to: :location
          alias_method :cve, :compare_key
-          def initialize(compare_key:, identifiers:, flags: [], links: [], remediations: [], location:, evidence:, metadata_version:, name:, original_data:, report_type:, scanner:, scan:, uuid:, confidence: nil, severity: nil, details: {}, signatures: [], project_id: nil, vulnerability_finding_signatures_enabled: false, found_by_pipeline: nil) # rubocop:disable Metrics/ParameterLists
+          def initialize(compare_key:, identifiers:, flags: [], links: [], remediations: [], location:, evidence:, metadata_version:, name:, original_data:, report_type:, scanner:, scan:, uuid:, confidence: nil, severity: nil, details: {}, signatures: [], project_id: nil, vulnerability_finding_signatures_enabled: false, found_by_pipeline: nil, cvss: []) # rubocop:disable Metrics/ParameterLists
            @compare_key = compare_key
            @confidence = confidence
            @identifiers = identifiers
@@ -57,6 +58,7 @@ def initialize(compare_key:, identifiers:, flags: [], links: [], remediations: [
            @project_id = project_id
            @vulnerability_finding_signatures_enabled = vulnerability_finding_signatures_enabled
            @found_by_pipeline = found_by_pipeline
+            @cvss = cvss
            @project_fingerprint = generate_project_fingerprint
          end

--- a/spec/factories/ci/reports/security/findings.rb
+++ b/spec/factories/ci/reports/security/findings.rb
@@ -10,6 +10,7 @@
    metadata_version { 'sast:1.0' }
    name { 'Cipher with no integrity' }
    report_type { :sast }
+    cvss { [{ vendor: "GitLab", vector_string: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N" }] }
    original_data do
      {
        description: "The cipher does not provide data integrity update 1",