Multi pipeline scan result policy does not work with tag pipeline
Summary
Compare results from all pipelines related to c... (#379108 - closed) introduced logic to consider multiple pipelines for a MR's source and target branch based on pipeline source and the SHA of the latest commit in both the branches. But, if there exists a tag in the repository, the SHA of the tag and the branch from which the tag is created would be same which results in selecting the tag pipeline for comparison. But, the tag pipeline may not always contain the security scan job. This would result in incorrect approval enforced in the MR.
Steps to reproduce
- Create a project with security scan jobs that introduces vulnerabilities and make it available except for
tags
type by adding:
except:
- tags
- Create a scan result policy to enforce approval on newly detected vulnerabilities
- Create a tag and make sure that the security scan does not run for the tag pipeline.
- After the tag pipeline is complete, create a MR that does not introduce any new vulnerability (update README)
- Observe that the MR requires approval
Example Project
MR: gitlab-org/govern/security-policies/sashis-test-group/test-419789!4
Tag pipeline: https://gitlab.com/gitlab-org/govern/security-policies/sashis-test-group/test-419789/-/pipelines/958123810
What is the current bug behavior?
- Tag pipeline is considered for comparison resulting in incorrect approval
What is the expected correct behavior?
- Tag pipeline should not be considered for comparison
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)