diff --git a/ee/app/models/ee/vulnerability.rb b/ee/app/models/ee/vulnerability.rb index fbdb6fdb5589ce166856afd70fcc489b57df1cca..8dd78ded041078aecf52bc549a8bc4e68add4da0 100644 --- a/ee/app/models/ee/vulnerability.rb +++ b/ee/app/models/ee/vulnerability.rb @@ -394,6 +394,18 @@ def trigger_false_positive_detection user = project.first_owner || author return unless Ability.allowed?(user, :duo_workflow, project) + # This is a temporary check to avoid errors in TriggerFalsePositiveDetectionWorkflowWorker while starting workflow + # Related issue which should remove this check https://gitlab.com/gitlab-org/gitlab/-/issues/584239 + if project.group&.membership_lock + ::Gitlab::AppLogger.info( + message: 'Project membership locked for SAST vulnerability', + project_id: project.id, + vulnerability_id: id, + group_lock: project.group&.membership_lock + ) + return + end + run_after_commit_or_now do ::Vulnerabilities::TriggerFalsePositiveDetectionWorkflowWorker.perform_async(id) end diff --git a/ee/spec/models/ee/vulnerability_spec.rb b/ee/spec/models/ee/vulnerability_spec.rb index a709fc30364ca8f37392984343a515527a313a28..b862cf5769da08fcc538ab641c4062d64c55a50c 100644 --- a/ee/spec/models/ee/vulnerability_spec.rb +++ b/ee/spec/models/ee/vulnerability_spec.rb @@ -1624,6 +1624,76 @@ create(:vulnerability, :sast, :high, author: user, project: project) end end + + context 'when membership is locked' do + let_it_be(:group) { create(:group) } + let_it_be(:project_with_group) { create(:project, group: group, duo_sast_fp_detection_enabled: true) } + + before do + allow(Ability).to receive(:allowed?).and_call_original + allow(Ability).to receive(:allowed?).with(anything, :duo_workflow, project_with_group).and_return(true) + end + + context 'when project group has membership_lock enabled' do + before do + group.update!(membership_lock: true) + end + + it 'does not trigger false positive detection workflow' do + expect(::Vulnerabilities::TriggerFalsePositiveDetectionWorkflowWorker) + .not_to receive(:perform_async) + + create(:vulnerability, :sast, :high, author: user, project: project_with_group) + end + + it 'logs the membership lock information' do + expect(::Gitlab::AppLogger).to receive(:info).with( + hash_including( + message: 'Project membership locked for SAST vulnerability', + project_id: project_with_group.id, + group_lock: true + ) + ).and_call_original + + create(:vulnerability, :sast, :high, author: user, project: project_with_group) + end + end + + context 'when membership_lock is disabled' do + before do + group.update!(membership_lock: false) + end + + it 'triggers false positive detection workflow normally' do + expect_next_instance_of(::Vulnerability) do |instance| + expect(instance).to receive(:run_after_commit_or_now).and_yield + end + expect(::Vulnerabilities::TriggerFalsePositiveDetectionWorkflowWorker) + .to receive(:perform_async).with(anything) + + create(:vulnerability, :sast, :critical, author: user, project: project_with_group) + end + end + + context 'when project has no group' do + let_it_be(:project_without_group) { create(:project, duo_sast_fp_detection_enabled: true) } + + before do + allow(Ability).to receive(:allowed?).and_call_original + allow(Ability).to receive(:allowed?).with(anything, :duo_workflow, project_without_group).and_return(true) + end + + it 'triggers false positive detection workflow normally' do + expect_next_instance_of(::Vulnerability) do |instance| + expect(instance).to receive(:run_after_commit_or_now).and_yield + end + expect(::Vulnerabilities::TriggerFalsePositiveDetectionWorkflowWorker) + .to receive(:perform_async).with(anything) + + create(:vulnerability, :sast, :high, author: user, project: project_without_group) + end + end + end end end