Consider multiple pipelines for license approval policies

Why are we doing this work

Currently, license approval policies works by taking the latest 10 pipelines from the MR's target branch and select the latest pipeline with depedency_scanning job for comparison. But, if the latest 10 pipelines does not contain dependency_scanning job, the licenses that are detected in the MR's source branch are considered newly detected and approvals are enforced.

Unlike, scan_finding approval rules, for license approval policies we do not consider multiple pipelines for comparison as the licenses detected in a non-default branch pipeline are not persisted in database. So, reading the JSON report from multiple pipelines can cause severe performance issues.

As a part of this issue, we want to change the logic of selecting the pipeline to consider multiple latest pipelines that are completed for each sources and use them to find a pipeline with dependency scanning report.

Relevant links

Example MR: https://gitlab.com/gitlab-org/govern/security-policies/sashis-test-group/verify-455760/-/merge_requests/2

Non-functional requirements

Documentation:
Feature flag:
Performance:
Testing:

Implementation plan

Update Security::ScanResultPolicies::UpdateLicenseApprovalsService to use Security::RelatedPipelinesFinder when target_branch_pipeline is empty

Verification steps

Create a project with .gitlab-ci.yml that runs dependency scanning job and make the job not run for scheduled pipeline:

include:
  - template: Security/Dependency-Scanning.gitlab-ci.yml

dummy_job:
  script: exit 0

gemnasium-dependency_scanning:
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule"
      when: never
    - if: $CI_PIPELINE_SOURCE == "push"

Create Gemfile.lock file with this content:

GEM

PLATFORMS
  arm64-darwin-22

DEPENDENCIES

BUNDLED WITH
   2.4.21

Verify that the pipeline has dependency_scanning job and does not produce any licenses
Create a license approval policy to require approval on newly detected license (MIT License):

name: Newly detected licenses
description: ''
enabled: true
actions:
- type: require_approval
  approvals_required: 1
  role_approvers:
  - maintainer
- type: send_bot_message
  enabled: true
rules:
- type: license_finding
  match_on_inclusion_license: true
  license_types:
  - MIT License
  license_states:
  - newly_detected
  branch_type: protected
approval_settings:
  block_branch_modification: true
  prevent_pushing_and_force_pushing: true
  prevent_approval_by_author: true
  prevent_approval_by_commit_author: true
  remove_approvals_with_new_commit: true
  require_password_to_approve: false
fallback_behavior:
  fail: closed

Create a pipeline schedule from Build -> Pipeline Schedules and execute the schedule (click Run pipeline schedule button) for 10+ times
Now create 2 MRs:
- Update README.md
- Add a dependency with MIT License

GEM
  remote: https://rubygems.org/
  specs:
    rack (3.0.4.1)

PLATFORMS
  arm64-darwin-22

DEPENDENCIES
  rack

BUNDLED WITH
   2.4.22

Verify that the policy violation bot comment has the target pipeline as None

Edited Sep 12, 2024 by Sashi Kumar Kumaresan