Ignore any type::maintenance OR security-fix-in-public (!20) · Merge requests · GitLab.com / GitLab Security Department / Product Security Department / Application Security / tooling / Public MR Confidential Issue Detector

Nick Malcolm requested to merge 26-ignore-maintenance into main Feb 22, 2024

This MR does a bit of refactoring to more cleanly decide whether an MR is alertworthy or not.

It introduces new behavior: ignoring any type::maintenance labelled issue.

It modifies existing behavior: previously it had to be ~bug::vuln AND NOT security-fix-in-public. Now the behavior is to ignore ANY security-fix-in-public.

It also, hopefully, makes it easier to ignore or alert on new label combos in the future.

Alerter messaging has been updated; it's a bit more generic now but still gets the message across.

It simplifies the logic of checking whether to alert in DetectorService, moving that decision into MergeRequest. The MergeRequest class is now the SSoT for deciding whether to alert, whether to fetch its issues, etc.

It removes some "should I fetch issues" logic from Alerter::Slack since that was duplicative.

Part of the rationale for the refactor is that, since this is an open source tool, it really shouldn't be hardcoding in GitLab-specific questions like vuln_but_not_fix_in_public?.

Closes #26 (closed)

Ignore any type::maintenance OR security-fix-in-public

Merge request reports