License approval rules not properly applied for non-default branch MRs
Summary
License approval policies can be created through scan approval policies for specific or all protected branches. The approval rules configured through the policy should be applied to MRs that target those protected branches only. License approval rules does not work properly for MRs that target non-default branch as it considers only the licenses found in default branch.
Steps to reproduce
-
Create new project with Gemfile/Gemfile.lock and couple gems included, -
Create new .gitlab-ci.yml
file and includeSecurity/License-Scanning.yml
template, -
Wait for pipeline to finish. -
Create new License approval policy ( Security & Compliance
->Policies
) and apply to a protected branch -
Create an MR that adds a new dependency targeting the protected branch mentioned in the policy
Example Project
- Project: https://gitlab.com/bala.kumar/license-approval-policies-test-cases
- MR: bala.kumar/license-approval-policies-test-cases!3
What is the current bug behavior?
- Approval rules does not consider the licenses in the protected branch, rather it checks against the license in default branch
What is the expected correct behavior?
- Approval rules should consider the licenses in the protected branch and not the licenses in default branch
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Implementation Plan
-
backend Update Security::SyncLicenseScanningRulesService
to use the base branch report of the MR instead ofdefault_branch_report
Edited by Sashi Kumar Kumaresan