Security Policy incorrectly requiring approvers intermittently on project with multiple pipelines
Summary
This appears to be an intermittent bug that will not remove the required approvers once the scan has completed on pipelines that have a child pipeline.
Steps to reproduce
- Create a projects A with the below CI point
Project A CI
workflow: rules: - if: $CI_PIPELINE_SOURCE == "merge_request_event" - if: $CI_PIPELINE_SOURCE == "schedule" - if: "$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS" when: never - if: "$CI_COMMIT_BRANCH" - if: "$CI_COMMIT_TAG" ".defaults-all": rules: - if: $CI_PIPELINE_SOURCE == "push" - if: $CI_PIPELINE_SOURCE == "merge_request_event" - if: $CI_PIPELINE_SOURCE == "schedule" - if: "$CI_COMMIT_TAG" stages: - build - deploy build-job: stage: build script: - echo "Compiling the code..." deploy: stage: deploy rules: - if: "$CI_COMMIT_BRANCH =~ /^release\\/.*$/" - if: $CI_PIPELINE_SOURCE == "merge_request_event" - if: $CI_PIPELINE_SOURCE == "schedule" - if: "$CI_COMMIT_TAG" - if: "$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH" trigger: project: [another child project] strategy: depend forward: yaml_variables: true pipeline_variables: false
- Add a scan results policy with the below settings to project A, changing the user_approvers_id and branches to match your own.
Project A: Security Policy Yaml
type: scan_result_policy name: No Python SAST issues description: All SAST issues might be resolved. enabled: true actions: - type: require_approval approvals_required: 1 user_approvers_ids: - [your_user_id] rules: - type: scan_finding branches: - [default_branch] scanners: - sast vulnerabilities_allowed: 0 severity_levels: - critical - high - medium - low - unknown - info vulnerability_states: - new_needs_triage approval_settings: block_protected_branch_modification: enabled: false
- Create a child project with default settings (no security policy)
Project B
workflow: rules: - if: $CI_PIPELINE_SOURCE == "merge_request_event" - if: $CI_PIPELINE_SOURCE == "web" - if: $CI_PIPELINE_SOURCE == "pipeline" - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH tests: stage: test script: - echo "test" deploy: stage: deploy script: echo "Define your deployment script!" environment: production
- Enable Merge Result and Merge Train in the Project Setting under Merger requests
- Remove
Prevent approval by author
in the merge request settings. - Create a new branch and merge request. A
The observation is that when the merge results pipeline starts all approvers are requires (this is normal) but then once the security scan are completed then the security approvers become optional. This does not occur always so you will need to repeat
Example Project
What is the current bug behavior?
Security policy approvers are being required intermittently without a cause.
What is the expected correct behavior?
Security policy approvers should not be required if no vulnerabilities have been detected always.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)