Incorrect policy index persisted in scan_result_policies table
Summary
- When multiple security policies exist in a policy project and some are scoped to specific projects, we store incorrect index values in the
scan_result_policies
table. - This occurs because
ProcessScanResultPolicyWorker
andapplicable_scan_result_policies_with_real_index
handle indices in reverse order. - As a result, when looking up policies using the stored index in
SyncAnyMergeRequestRulesService
, we retrieve the wrong policy. - When a project has multiple inherited policies (from different policy projects), the policies lookup in
SyncAnyMergeRequestRulesService
) would work incorrectly as the lookup happen on all the policies that the project inherits, it should rather lookup the policies from each of the policy projects.- For eg: if a project has 2 policies from policy project A and 2 policies from policy project B,
active_policies
would contain all the 4 policies and each of thescan_result_policy_reads
rows would have policy_index of 0 & 1. So for policies from policy project B, we would lookup the policies from policy project A
- For eg: if a project has 2 policies from policy project A and 2 policies from policy project B,
Steps to reproduce
Example Project
What is the current bug behavior?
What is the expected correct behavior?
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)