SEP variables incorrectly assigned for multiple rule schedules

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Work on this issue
• Close this issue

Summary

The SEP variables builder may not assign the correct policy variables in the case of multiple rule schedules.

Steps to reproduce

1. Create a new project, navigate to Secure > Policies and create 2 scan execution policies of type: schedule. Example policy.yml:

scan_execution_policy:
- name: Periodic Policy A
  enabled: true
  rules:
  - type: schedule
    branch_type: default
    cadence: 0 0 * * *
  actions:
  - scan: secret_detection
- name: Periodic Policy B
  description: ''
  enabled: true
  rules:
  - type: schedule
    branch_type: default
    cadence: 0 0 * * *
  actions:
  - scan: container_scanning
approval_policy: []

2. Set a breakpoint in Variables::Builder::ScanExecutionPolicies:

diff --git a/ee/lib/ee/gitlab/ci/variables/builder/scan_execution_policies.rb b/ee/lib/ee/gitlab/ci/variables/builder/scan_execution_policies.rb
index c9d712a124c5..2b265ded830a 100644
--- a/ee/lib/ee/gitlab/ci/variables/builder/scan_execution_policies.rb
+++ b/ee/lib/ee/gitlab/ci/variables/builder/scan_execution_policies.rb
@@ -19,6 +19,8 @@ def variables(job_name)
               ::Gitlab::Ci::Variables::Collection.new.tap do |variables|
                 next variables unless enforce_scan_execution_policies_variables?(job_name)
 
+                binding.pry_shell
+
                 variables_for_job(job_name).each do |key, value|
                   variables.append(key: key, value: value.to_s)
                 end

3. Manually execute the second rule schedule that should run Container Scanning:

user = User.find(1)
project = Project.find(PROJECT_ID)
config = project.all_security_orchestration_policy_configurations.first
sched = config.rule_schedules.last

Security::SecurityOrchestrationPolicies::RuleScheduleService
  .new(project: project, current_user: user)
  .execute(sched)

4. At the breakpoint, the job_name is container-scanning-0, but the return value of #active_scan_variables has no such key:

[1] pry(#<EE::Gitlab::Ci::Variables::Builder::ScanExecutionPolicies>)> active_scan_variables
=> {:"secret-detection-0"=>
  {"SECRET_DETECTION_HISTORIC_SCAN"=>"false",
   "SECRET_DETECTION_EXCLUDED_PATHS"=>""},
 :"container-scanning-1"=>{}}
[2] pry(#<EE::Gitlab::Ci::Variables::Builder::ScanExecutionPolicies>)> job_name
=> "container-scanning-0"
[3] pry(#<EE::Gitlab::Ci::Variables::Builder::ScanExecutionPolicies>)> active_scan_variables[job_name.to_sym]
=> nil

The mismatching keys stem from the builder reading all active scan actions, but the pipeline being created only for a subset of the scan actions (the specific rule schedule).

Example Project

n/a

What is the current bug behavior?

Job variables incorrectly assigned

What is the expected correct behavior?

Job variables correctly assigned

Relevant logs and/or screenshots

n/a

Output of checks

Results of GitLab environment info

n/a

Results of GitLab application Check

n/a

Possible fixes/Implementation Plan

!182889