Switching policy projects results in old policies on MRs (Existing and New)
Summary
When a security results policy is switched the project shows the new association, but existing and new MRs apply the old policy.
Steps to reproduce
- Creat a project and a new branch
- Apply Security Results Policy 1 to project
- Introduce a finding on the new branch
- Open an MR with new finding
- See MR with Security Results Policy 1 logic applied
- Go to Security & Compliance > Policies
- Edit Project Policy
- Select Security Results Policy 2
- See Security Results Policy 2 confirmed for the project
- Go to MR and see erroneous Security Results Policy 1 still in force
- Open a new MR and see erroneous Security Results Policy 1 still in force
_In combination with #377309 (closed) this means I cannot reliably remove or change a project policy association currently. _
Example Project
NA
What is the current bug behavior?
You can change a security policy with project confirmation but MR's have the old logic.
What is the expected correct behavior?
Whatever security policy is current applied at the project level needs to be reflected in MRs and enforced.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
NA
Results of GitLab application Check
NA
Possible fixes
-
backend Call Security::SyncScanPoliciesWorker
when policy project is updated or assigned for first time
Edited by Sashi Kumar Kumaresan