Editing DAST Profiles not Disabled for Group Security Policies
Summary
DAST Site and Scan profiles should not be able to be edited when the profile is in use by an active, enabled, security policy. This behavior is currently correct for Project-level scan execution policies; however, group and sub-group policies do not disable editing of the relevant profiles.
Steps to reproduce
Example Project
What is the current bug behavior?
Site and scan profiles can be edited even when referenced by an active group or sub-group level scan execution policy.
What is the expected correct behavior?
Editing of site and scan profiles should be disabled when referenced by an active group or sub-group level scan execution policy.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
Implementation plan
-
backend modify load_records_into_loaded_objects
method to fetchpolicy_configurations
from projects and group (ie. by usingproject.all_security_orchestration_policy_configurations
methods)ee/lib/gitlab/graphql/aggregations/security_orchestration_policies/lazy_dast_profile_aggregate.rb
, -
backend modify referenced_in_security_policies
method inee/app/models/dast_site_profile.rb
andee/app/models/dast_scanner_profile.rb
to include configurations fromproject.all_security_orchestration_policy_configurations
:
def referenced_in_security_policies
return [] unless project.all_security_orchestration_policy_configurations.present?
project.all_security_orchestration_policy_configurations.map { |configuration| configuration.active_policy_names_with_dast_scanner_profile(name) }
end