BE - [License Approvals] - Extend Scan Result Policies to process License Approval Policies
Why are we doing this work
Currently we are only processing Scan Result Policies with scan_finding
rule type. In scope of this issue we want to change it to also support Scan Result Policies with license_finding
rule type. This will require changes in the code to support it.
Currently License Approvals are configured in the Project's Settings
-> Merge Requests
-> Merge request approvals
, you can specify there branches, approvers and how many approvals are needed. Any additional software license policies are configured in Security & Compliance
-> License Compliance
-> Policies
tab (see https://gitlab.com/gitlab-org/gitlab/-/licenses#policies). With this feature we want to support it in one place, as License Approval Policy under Scan Result Policy.
We want to currently work on this feature behind existing feature flag (license_scanning_policies
), so policy will be only processed when this feature flag is enabled for the project.
Relevant links
Related issue with proposed format Epic
Non-functional requirements
-
Documentation: documentation should be updated with new type of Scan Result Policies after this feature is available for users. - [-] Feature flag:
- [-] Performance:
-
Testing:
Implementation plan
-
backend modify ee/app/models/concerns/security/scan_result_policy.rb
with method to delete software license policies related to givenSecurity::OrchestrationPolicyConfiguration
, -
backend make sure methods for deleting approval rules defined in ee/app/models/concerns/security/scan_result_policy.rb
will work forlicense_finding
approval rules, -
backend modify create_new_approval_rules
method inee/app/services/security/security_orchestration_policies/process_scan_result_policy_service.rb
to support creating approval rules withlicense_finding
type, -
backend add method to create software_license_policies
based on thelicense_finding
scan_result_policy
and callRefreshLicenseComplianceChecksWorker
after creating them, -
backend modify ee/app/services/software_license_policies/create_service.rb
to allow skiping authorization and skiping callingRefreshLicenseComplianceChecksWorker
when it is called fromProcessScanResultPolicyService
, -
backend modify ee/app/workers/security/process_scan_result_policy_worker.rb
to calldelete_software_license_policies_for_project
defined in first step,
Verification steps
-
Create new project with Gemfile/Gemfile.lock and couple gems included, -
Create new .gitlab-ci.yml
file and includeSecurity/License-Scanning.yml
template, -
Wait for pipeline to finish. -
Create new Scan Result Policy ( Security & Compliance
->Policies
) and test couple scenarios:-
License matching selected license type and is newly detected and the license is included in newly added dependency, -
License matching selected license type and is newly detected and the license is not included in newly added dependency, -
License matching selected license type and is pre-existing and the license is included in newly added dependency, -
License matching selected license type and is pre-existing and the license is not included in newly added dependency, -
License excluding selected license type and is newly detected and the license is included in newly added dependency, -
License excluding selected license type and is newly detected and the license is not included in newly added dependency, -
License excluding selected license type and is pre-existing and the license is included in newly added dependency, -
License excluding selected license type and is pre-existing and the license is not included in newly added dependency,
-
-
Test it also when policy is defined on Group-level, -
Test it additionally when policy is defined on Group-level and new project is added to this group and check if approval rules are added to new MRs in this project,