Disabling scan result policy does not refresh MR approval rules

Summary

Disabled a scan result policy that is the only policy for a project/group, the MRs that already have the approval rules applied, were not refreshed.

Steps to reproduce

  • Create only 1 scan result policy for a project
  • Create MR that violates the policy and check if approval is required
  • Disable the policy
  • Verify in MR that the approval is not removed

Example Project

https://gitlab.com/gitlab-org/govern/security-policies/sashis-test-group/perf-test/-/merge_requests/3

What is the current bug behavior?

MR approvals are not refreshed after the policy is disabled

Policy

Screenshot_2023-05-25_at_7.16.18_PM

MR

Screenshot_2023-05-25_at_7.17.01_PM

What is the expected correct behavior?

MR approvals should be refreshed after the policy is disabled

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

  • backend Update Security::ProcessScanResultPolicyWorker to remove the early return if active_scan_result_policies are empty
diff --git a/ee/app/workers/security/process_scan_result_policy_worker.rb b/ee/app/workers/security/process_scan_result_policy_worker.rb
index 1a54935a3add..46e1e428deb2 100644
--- a/ee/app/workers/security/process_scan_result_policy_worker.rb
+++ b/ee/app/workers/security/process_scan_result_policy_worker.rb
@@ -17,7 +17,6 @@ def perform(project_id, configuration_id)
       return unless project && configuration
 
       active_scan_result_policies = configuration.active_scan_result_policies
-      return if active_scan_result_policies.empty?
 
       sync_policies(project, configuration, active_scan_result_policies)
Edited by Sashi Kumar Kumaresan