Clean-up orphaned scan finding approval rules
Summary
Based on the discusson from https://gitlab.slack.com/archives/CU9V380HW/p1667920847324899 (added copy as an internal note) we have found out that we still have Scan Finding Approval Rules in database that do not have Security Policy Project ID associated with them:
[ gprd ] production> ApprovalProjectRule.scan_finding.where(security_orchestration_policy
_configuration_id: nil).pluck(:project_id).uniq.count
=> 7
[ gprd ] production> ApprovalMergeRequestRule.scan_finding.where(security_orchestration_p
olicy_configuration_id: nil).includes(:merge_request).map { |rule| rule.merge_request.tar
get_project_id }.uniq.count
=> 131
This potentially might cause validation errors for some customers (see #370808 (closed)). To fix it we need to prepare migrations to remove orphaned records from database.
What is the current bug behavior?
There are records in database in approval_merge_request_rules
and approval_project_rules
with report_type = :scan_finding
and security_orchestration_policy_configuration_id = NULL
.
What is the expected correct behavior?
There are no records in database in approval_merge_request_rules
and approval_project_rules
with report_type = :scan_finding
and security_orchestration_policy_configuration_id = NULL
.
Records for projects without security_orchestration_policy_configuration_id
associated should be removed and records with projects with associated security_orchestration_policy_configuration_id
should be updated.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
-
backend prepare background migration to remove orphaned records (scan finding approval rules without security_orchestration_policy_configuration_id
assigned, where there is no Security Policy Project assigned to project associated with given approval rule), -
backend prepare background migration to execute Security::ProcessScanResultPolicyWorker
for approval rules withoutsecurity_orchestration_policy_configuration_id
assigned, where there is Security Policy Project assigned to project associated with given approval rule,