[Feature flag] Enable Analyzer Takover
Summary
This issue is to rollout Prefer Semgrep findings over other analyzers on production,
that is currently behind the update_vuln_identifiers_flag
feature flag.
Within Category:SAST, we try to deduplicate findings from multiple analyzers. The current approach leads us to prefer specific analyzers over others. We made a conscious decision to prefer other analyzer over semgrep while that analyzer was being developed. However, we're now moving to standardize upon semgrep after it becomes generally available. We need to flip this relationship so the semgrep is preferred over other Category:SAST analyzers.
Owners
- Team: Secure::Static Analysis
- Most appropriate slack channel to reach out to:
#g_secure-static-analysis
- Best individual to reach out to: @rossfuhrman
- PM: @connorgilbert
Stakeholders
Expectations
What are we expecting to happen?
Existing vulnerabilities (for supported analyzers), and their associated dismissals, confirmations, issues, etc., will be taken over by corresponding semgrep vulnerabilities.
When is the feature viable?
What might happen if this goes wrong?
In the worst case, ingestion of semgrep security findings could be broken, or slow, affecting other background processes or database performance.
The more likely case would be that the deduplication fails and duplicate records are created. This would only happen once per repo, but avoiding that duplication is the entire reason for this MR.
What can we monitor to detect problems with this?
Sidekiq: https://log.gprd.gitlab.net/goto/cceda190-0317-11ed-8656-f5f2137823ba Rails: https://log.gprd.gitlab.net/goto/dae36460-0317-11ed-b86b-d963a1a6788e
What can we check for monitoring production after rollouts?
Rollout Steps
Rollout on non-production environments
- Ensure that the feature MRs have been deployed to non-production environments.
-
/chatops run auto_deploy status <merge-commit-of-your-feature>
-
-
Enable the feature globally on non-production environments. -
/chatops run feature set update_vuln_identifiers_flag true --dev
-
/chatops run feature set update_vuln_identifiers_flag true --staging
-
-
Verify that the feature works as expected. Posting the QA result in this issue is preferable. The best environment to validate the feature in is staging-canary as this is the first environment deployed to. Note you will need to make sure you are configured to use canary as outlined here when accessing the staging environment in order to make sure you are testing appropriately.
Specific rollout on production
- Ensure that the feature MRs have been deployed to both production and canary.
-
/chatops run auto_deploy status <merge-commit-of-your-feature>
-
- Small dataset, known conditions
-
/chatops run feature set --project=rossfuhrman/insecure-july-31 update_vuln_identifiers_flag true
-
- Large dataset to check performance
-
/chatops run feature set --project=rossfuhrman/webgoat-semgrep-takeover-test update_vuln_identifiers_flag true
-
- If you're using project-actor, you must enable the feature on these entries:
-
/chatops run feature set --project=gitlab-org/gitlab update_vuln_identifiers_flag true
-
-
Verify that the feature works on the specific entries. Posting the QA result in this issue is preferable.
Preparation before global rollout
-
Check if the feature flag change needs to be accompanied with a change management issue. Cross link the issue here if it does. -
Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. If a different developer will be covering, or an exception is needed, please inform the oncall SRE by using the @sre-oncall
Slack alias. -
Ensure that documentation has been updated (More info). -
Announce on the feature issue an estimated time this will be enabled on GitLab.com. -
Ensure that any breaking changes have been announced following the release post process to ensure GitLab customers are aware. -
Notify #support_gitlab-com
and your team channel (more guidance when this is necessary in the dev docs).
Global rollout on production
For visibility, all /chatops
commands that target production should be executed in the #production
slack channel and cross-posted (with the command results) to the responsible team's slack channel (#g_TEAM_NAME
).
-
Incrementally roll out the feature. - If the feature flag in code has an actor, perform actor-based rollout.
-
/chatops run feature set <feature-flag-name> <rollout-percentage> --actors
-
- If the feature flag in code does NOT have an actor, perform time-based rollout (random rollout).
-
/chatops run feature set <feature-flag-name> <rollout-percentage> --random
-
- Enable the feature globally on production environment.
-
/chatops run feature set <feature-flag-name> true
-
- If the feature flag in code has an actor, perform actor-based rollout.
-
Announce on the feature issue that the feature has been globally enabled. -
Wait for at least one day for the verification term.
(Optional) Release the feature with the feature flag
If you're still unsure whether the feature is deemed stable but want to release it in the current milestone, you can change the default state of the feature flag to be enabled. To do so, follow these steps:
-
Create a merge request with the following changes. Ask for review and merge it. -
Set the default_enabled
attribute in the feature flag definition totrue
. -
Create a changelog entry.
-
-
Ensure that the default-enabling MR has been included in the release package. If the merge request was deployed before the monthly release was tagged, the feature can be officially announced in a release blog post. -
/chatops run release check <merge-request-url> <milestone>
-
-
Consider cleaning up the feature flag from all environments by running these chatops command in #production
channel. Otherwise these settings may override the default enabled.-
/chatops run feature delete <feature-flag-name> --dev
-
/chatops run feature delete <feature-flag-name> --staging
-
/chatops run feature delete <feature-flag-name>
-
-
Close the feature issue to indicate the feature will be released in the current milestone. -
Set the next milestone to this rollout issue for scheduling the flag removal. -
(Optional) You can create a separate issue for scheduling the steps below to Release the feature. -
Set the title to "[Feature flag] Cleanup <feature-flag-name>
". -
Execute the /copy_metadata <this-rollout-issue-link>
quick action to copy the labels from this rollout issue. -
Link this rollout issue as a related issue. -
Close this rollout issue.
-
WARNING: This approach has the downside that it makes it difficult for us to clean up the flag. For example, on-premise users could disable the feature on their GitLab instance. But when you remove the flag at some point, they suddenly see the feature as enabled and they can't roll it back to the previous behavior. To avoid this potential breaking change, use this approach only for urgent matters.
Release the feature
After the feature has been deemed stable, the clean up should be done as soon as possible to permanently enable the feature and reduce complexity in the codebase.
You can either create a follow-up issue for Feature Flag Cleanup or use the checklist below in this same issue.
Cleanup and removal of the feature flag will happen with [Feature flag] Cleanup update_vuln_identifiers_... (#386422 - closed)
Rollback Steps
-
This feature can be disabled by running the following Chatops command:
/chatops run feature set update_vuln_identifiers_flag false