From 199775515cd4b073e3a3370815abb8f923f9645e Mon Sep 17 00:00:00 2001 From: Hitesh Raghuvanshi Date: Fri, 12 Dec 2025 18:13:38 +0530 Subject: [PATCH 1/2] Trigger SAST FP worker when project has duo access EE: true --- ee/app/models/ee/vulnerability.rb | 1 + ee/spec/models/ee/vulnerability_spec.rb | 32 +++++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/ee/app/models/ee/vulnerability.rb b/ee/app/models/ee/vulnerability.rb index 4435a2ebc67e11..df5f403b1ab5a9 100644 --- a/ee/app/models/ee/vulnerability.rb +++ b/ee/app/models/ee/vulnerability.rb @@ -390,6 +390,7 @@ def trigger_false_positive_detection return unless sast? return unless high_or_critical_severity? return unless project.duo_sast_fp_detection_enabled + return unless Ability.allowed?(author, :duo_workflow, project) run_after_commit_or_now do ::Vulnerabilities::TriggerFalsePositiveDetectionWorkflowWorker.perform_async(id) diff --git a/ee/spec/models/ee/vulnerability_spec.rb b/ee/spec/models/ee/vulnerability_spec.rb index a11e4909f6bca1..95ce33aa4f11b1 100644 --- a/ee/spec/models/ee/vulnerability_spec.rb +++ b/ee/spec/models/ee/vulnerability_spec.rb @@ -1575,6 +1575,7 @@ with_them do before do project.update!(duo_sast_fp_detection_enabled: duo_sast_fp_detection_enabled) + allow(Ability).to receive(:allowed?).with(user, :duo_workflow, project).and_return(true) end it 'triggers or does not trigger false positive detection workflow based on conditions' do @@ -1592,6 +1593,37 @@ create(:vulnerability, report_type, severity, author: user, project: project) end end + + context 'when author does not have duo_workflow permission' do + before do + project.update!(duo_sast_fp_detection_enabled: true) + allow(Ability).to receive(:allowed?).with(user, :duo_workflow, project).and_return(false) + end + + it 'does not trigger false positive detection workflow' do + expect(::Vulnerabilities::TriggerFalsePositiveDetectionWorkflowWorker) + .not_to receive(:perform_async) + + create(:vulnerability, :sast, :critical, author: user, project: project) + end + end + + context 'when author has duo_workflow permission' do + before do + project.update!(duo_sast_fp_detection_enabled: true) + allow(Ability).to receive(:allowed?).with(user, :duo_workflow, project).and_return(true) + end + + it 'triggers false positive detection workflow for high severity SAST vulnerability' do + expect_next_instance_of(::Vulnerability) do |instance| + expect(instance).to receive(:run_after_commit_or_now).and_yield + end + expect(::Vulnerabilities::TriggerFalsePositiveDetectionWorkflowWorker) + .to receive(:perform_async).with(anything) + + create(:vulnerability, :sast, :high, author: user, project: project) + end + end end end -- GitLab From 73c098d226333cafc4dd8677b90e1383e2d133be Mon Sep 17 00:00:00 2001 From: Hitesh Raghuvanshi Date: Mon, 15 Dec 2025 15:33:05 +0530 Subject: [PATCH 2/2] Fixed the rspecs --- ee/spec/services/vulnerabilities/auto_dismiss_service_spec.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/ee/spec/services/vulnerabilities/auto_dismiss_service_spec.rb b/ee/spec/services/vulnerabilities/auto_dismiss_service_spec.rb index 30245a9d8a9d7d..fce463500a7574 100644 --- a/ee/spec/services/vulnerabilities/auto_dismiss_service_spec.rb +++ b/ee/spec/services/vulnerabilities/auto_dismiss_service_spec.rb @@ -86,6 +86,7 @@ let(:ability_allowed) { true } before do + allow(Ability).to receive(:allowed?).and_return(true) allow(Ability).to receive(:allowed?).with(bot_user, :create_vulnerability_state_transition, project).and_return(ability_allowed) end -- GitLab