Consider multiple pipelines for license approval policies
Why are we doing this work
Currently, license approval policies works by taking the latest 10 pipelines from the MR's target branch and select the latest pipeline with depedency_scanning job for comparison. But, if the latest 10 pipelines does not contain dependency_scanning job, the licenses that are detected in the MR's source branch are considered newly detected and approvals are enforced.
Unlike, scan_finding approval rules, for license approval policies we do not consider multiple pipelines for comparison as the licenses detected in a non-default branch pipeline are not persisted in database. So, reading the JSON report from multiple pipelines can cause severe performance issues.
As a part of this issue, we want to change the logic of selecting the pipeline to consider multiple latest pipelines that are completed for each sources and use them to find a pipeline with dependency scanning report.
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
Implementation plan
-
Update Security::ScanResultPolicies::UpdateLicenseApprovalsService
to useSecurity::RelatedPipelinesFinder
whentarget_branch_pipeline
is empty
Verification steps
- Create a project with
.gitlab-ci.yml
that runs dependency scanning job and make the job not run for scheduled pipeline:
include:
- template: Security/Dependency-Scanning.gitlab-ci.yml
dummy_job:
script: exit 0
gemnasium-dependency_scanning:
rules:
- if: $CI_PIPELINE_SOURCE == "schedule"
when: never
- if: $CI_PIPELINE_SOURCE == "push"
- Create
Gemfile.lock
file with this content:
GEM
PLATFORMS
arm64-darwin-22
DEPENDENCIES
BUNDLED WITH
2.4.21
- Verify that the pipeline has dependency_scanning job and does not produce any licenses
- Create a license approval policy to require approval on newly detected license (
MIT License
):
name: Newly detected licenses
description: ''
enabled: true
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- maintainer
- type: send_bot_message
enabled: true
rules:
- type: license_finding
match_on_inclusion_license: true
license_types:
- MIT License
license_states:
- newly_detected
branch_type: protected
approval_settings:
block_branch_modification: true
prevent_pushing_and_force_pushing: true
prevent_approval_by_author: true
prevent_approval_by_commit_author: true
remove_approvals_with_new_commit: true
require_password_to_approve: false
fallback_behavior:
fail: closed
- Create a pipeline schedule from
Build -> Pipeline Schedules
and execute the schedule (clickRun pipeline schedule
button) for 10+ times - Now create 2 MRs:
- Update README.md
- Add a dependency with MIT License
GEM
remote: https://rubygems.org/
specs:
rack (3.0.4.1)
PLATFORMS
arm64-darwin-22
DEPENDENCIES
rack
BUNDLED WITH
2.4.22
- Verify that the policy violation bot comment has the target pipeline as
None