Approval policy rules with pre-existing states should not create unenforceable notification

Why are we doing this work

Currently we're triggering a policy bot comment for unenforceable rules via UnenforceablePolicyRulesNotificationService to display configuration errors to the user. These are based on missing scans in the pipeline.

Pre-existing policy rules are evaluated separately and don't require pipeline to be evaluated. We shouldn't include them in this evaluation, otherwise they conflict with the SyncPreexistingStatesApprovalRulesWorker and cause approvals to be reset, even if there is no policy violation of the pre-existing rules.

Relevant links

• https://gitlab.com/gitlab-com/dev-sub-department/section-dev-request-for-help/-/issues/333
• https://gitlab.zendesk.com/agent/tickets/580426

Non-functional requirements

• Documentation:
• Feature flag:
• Performance:
• Testing:

Implementation plan

• Filter the approval rules in UnenforceablePolicyRulesNotificationService to only take into consideration ones which include newly detected vulnerability states

Verification steps

1. Create a project
2. Create a scan_finding policy which only targets pre-existing vulnerabilities:

   type: approval_policy
   name: Security Approval
   description: ''
   enabled: true
   rules:
     - type: scan_finding
       scanners: []
       vulnerabilities_allowed: 0
       severity_levels:
         - high
         - critical
       vulnerability_states:
         - confirmed
         - detected
       branch_type: protected
     - type: scan_finding
       scanners: []
       vulnerabilities_allowed: 0
       severity_levels:
         - medium
       vulnerability_states:
         - confirmed
         - detected
       branch_type: protected
   actions:
     - type: require_approval
       approvals_required: 1
       role_approvers:
         - developer
     - type: send_bot_message
       enabled: true
   approval_settings:
     block_branch_modification: false
     prevent_pushing_and_force_pushing: false
     prevent_approval_by_author: false
     prevent_approval_by_commit_author: false
     remove_approvals_with_new_commit: false
     require_password_to_approve: false
   fallback_behavior:
     fail: closed
   

3. Create a .gitlab-ci.yml with a simple job and don't include any security scanners:

   project-job:
     stage: test
     script:
       - 'sleep 10 && echo "Test"'

4. Update README.md
5. Verify that MR is not blocked by the policy rules