Use parent-child pipelines for scan result policy comparison
Why are we doing this work
Currently, when enforcing approvals through scan result policy we don't consider parent-child pipelines in both source and target branch. But, security MR widget uses results from parent-child pipelines which causes inconsistencies. As a part of this issue we want to include parent-child pipelines too for SRP comparison.
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: - Create
scan_result_policy_parent_child_pipeline
feature flag and implement the changes behind the feature flag
- Create
-
Performance: -
Testing:
Implementation plan
-
backend Update Security::ScanResultPolicies::UpdateApprovalsService#related_pipeline_sources
to useparent_pipeline
source too -
backend Update Security::RelatedPipelinesFinder
to useCi::Pipeline#self_and_project_descendants
-
Add the changes behind a feature flag. This way we can capture any performance issues caused due to a huge number of child pipelines.
Verification steps
-
Create a new project (reference project: https://gitlab.com/gitlab-org/govern/security-policies/sashis-test-group/test-child-pipeline-2) without any already existing vulnerabilities and create a parent-child pipeline configuration -
Enable the approval_policy_parent_child_pipeline
feature flag for the project -
Create a scan result policy to require approval when a new vulnerability is detected -
Create a new MR targeting default branch and make a child pipeline to introduce a new vulnerability -
Verify if the MR widget shows the new vulnerability and approval is required
Edited by Sashi Kumar Kumaresan