For "schedule" type policies, only the last schedule type policy is running
Summary
Steps to reproduce
1. Create policies
description: ''
enabled: true
actions:
- scan: secret_detection
tags: []
- scan: container_scanning
tags: []
rules:
- type: schedule
branches:
- master
cadence: 0 17 * * *
description: ''
enabled: true
actions:
- scan: sast
tags: []
rules:
- type: schedule
branches:
- master
cadence: 0 17 * * *
2. Based on config, view a project inheriting these policies and observe that only the last policy in the policy.yml is run. In this case, SAST runs, but the container and secret deteciton policy does not.
scan_execution_policy:
- name: SAST Scan Pipeline
description: ''
enabled: false
rules:
- type: pipeline
branches:
- master
actions:
- scan: sast
tags: []
- name: container-n-secrets
description: ''
enabled: true
rules:
- type: schedule
branches:
- master
cadence: 0 17 * * *
actions:
- scan: secret_detection
tags: []
- scan: container_scanning
tags: []
- name: SAST Scan - Scheduled
description: ''
enabled: true
rules:
- type: schedule
branches:
- master
cadence: 0 17 * * *
actions:
- scan: sast
tags: []
As a test, we switched the order of the scan policies. It's worth noting this required directly editing the policy.yml file as modifying policies in the UI wouldn't allow you to re-order them.
When the secret and container scanning policy was ordered last, it ran properly, while the SAST scanner did not run.
A few common configuration errors were checked:
- Security project and the project inheriting the policies had proper branch configuration
- The Security Project had fewer than 5 policies, and the inheriting project (node-app) only has 3 policies inherited (2 enabled). I did notice a different project in the subgroup (spring-java-app) also had a security project enabled with 2 additional policies created (not enabled), for a total of 5 for this project. The behavior was the same for this project as well.
- The cron syntax used was the same for both policies and executed for one but not the other. In the past it appears if more policies were enabled, still only the last one ran.
Example Project
What is the current bug behavior?
The enabled policies are not running as expected.
What is the expected correct behavior?
All enabled policies should run.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
GitLab.com
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
-
backend Update update_policy_configuration
to delete schedules related to the configuration before callingSecurity::SecurityOrchestrationPolicies::ProcessRuleService
- !114021 (merged)
diff --git a/ee/app/services/security/security_orchestration_policies/process_rule_service.rb b/ee/app/services/security/security_orchestration_policies/process_rule_service.rb
index 8f8f702df53e..2b8635ca9eea 100644
--- a/ee/app/services/security/security_orchestration_policies/process_rule_service.rb
+++ b/ee/app/services/security/security_orchestration_policies/process_rule_service.rb
@@ -10,7 +10,6 @@ def initialize(policy_configuration:, policy_index:, policy:)
end
def execute
- policy_configuration.delete_all_schedules
create_new_schedule_rules
end
diff --git a/ee/app/workers/concerns/update_orchestration_policy_configuration.rb b/ee/app/workers/concerns/update_orchestration_policy_configuration.rb
index e20a341920f4..825381d825f9 100644
--- a/ee/app/workers/concerns/update_orchestration_policy_configuration.rb
+++ b/ee/app/workers/concerns/update_orchestration_policy_configuration.rb
@@ -2,9 +2,9 @@
module UpdateOrchestrationPolicyConfiguration
def update_policy_configuration(configuration)
- unless configuration.policy_configuration_valid?
- configuration.delete_all_schedules
+ configuration.delete_all_schedules
+ unless configuration.policy_configuration_valid?
configuration.delete_scan_finding_rules
configuration.update!(configured_at: Time.current)
-
Create a migration to restore OrchestrationPolicyRuleSchedule
s for affected policies - !114337 (merged)