Persist any_merge_request violation data
Why are we doing this work
In Add violation_data to scan_result_policy_violat... (#433390 - closed) we're adding a new column violation_data
to be able to save details about what caused policy violations.
In this issue, we want to persist violation data for any_merge_request
policies. For this reason, we should extend Security::ScanResultPolicies::SyncAnyMergeRequestRulesService and save the violation information.
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: we should do these changes behind feature flag -
Performance: -
Testing:
Implementation plan
A rough diff:
diff --git a/ee/app/services/security/scan_result_policies/sync_any_merge_request_rules_service.rb b/ee/app/services/security/scan_result_policies/sync_any_merge_request_rules_service.rb
index 781dcb844a7878a3e5d1b3c5aa03a62e68506d66..4c82dc057913af205b7934949ff8be716b59fd6a 100644
--- a/ee/app/services/security/scan_result_policies/sync_any_merge_request_rules_service.rb
+++ b/ee/app/services/security/scan_result_policies/sync_any_merge_request_rules_service.rb
@@ -50,7 +50,14 @@ def evaluate_policy_violations(scan_result_policy_reads)
next false unless scan_result_policy_read.commits_any? ||
(scan_result_policy_read.commits_unsigned? && has_unsigned_commits)
- policy_affected_by_target_branch?(scan_result_policy_read)
+ violated = policy_affected_by_target_branch?(scan_result_policy_read)
+ if violated
+ violations.set_violation_data(scan_result_policy_read.id, {
+ violations: { commits: scan_result_policy_read.commits }
+ })
+ end
+
+ violated
end
[violated.pluck(:id), unviolated.pluck(:id)] # rubocop:disable CodeReuse/ActiveRecord
end
Verification steps
- Create a policy for "Any merge request"
- Create MR causing violations (for example, making unsigned commit in the MR)
- Check that
violation_data
in thescan_result_policy_violations
table contains correct data
Edited by Martin Čavoj