Skip to content

Switching policy projects results in old policies on MRs (Existing and New)

Summary

When a security results policy is switched the project shows the new association, but existing and new MRs apply the old policy.

Steps to reproduce

  • Creat a project and a new branch
  • Apply Security Results Policy 1 to project
  • Introduce a finding on the new branch
  • Open an MR with new finding
  • See MR with Security Results Policy 1 logic applied
  • Go to Security & Compliance > Policies
  • Edit Project Policy
  • Select Security Results Policy 2
  • See Security Results Policy 2 confirmed for the project
  • Go to MR and see erroneous Security Results Policy 1 still in force
  • Open a new MR and see erroneous Security Results Policy 1 still in force

_In combination with #377309 (closed) this means I cannot reliably remove or change a project policy association currently. _

Example Project

NA

What is the current bug behavior?

You can change a security policy with project confirmation but MR's have the old logic.

What is the expected correct behavior?

Whatever security policy is current applied at the project level needs to be reflected in MRs and enforced.

Relevant logs and/or screenshots

Screen_Shot_2022-10-06_at_2.24.12_PM

Screen_Shot_2022-10-06_at_2.25.10_PM

Screen_Shot_2022-10-06_at_2.25.16_PM

Screen_Shot_2022-10-06_at_2.25.31_PM

Screen_Shot_2022-10-06_at_2.59.52_PM

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

NA

Results of GitLab application Check

NA

Possible fixes

  • backend Call Security::SyncScanPoliciesWorker when policy project is updated or assigned for first time
Edited by Sashi Kumar Kumaresan