Removing excluded projects from scan execution policy UI does not update YAML

Summary

When creating a scan execution policy, if you mark a project as excluded in the UI, it updates the YAML accordingly, however if you change except project to without exceptions after excluding a project, the YAML is not updated to reflect this.

A GitLab Ultimate customer reported this issue via a ticket

Steps to reproduce

  1. Create a scan execution policy in a group/subgroup (I created a default secret detection policy)
  2. Change without exceptions to except projects and select a project to exclude from the policy, notice the YAML updates exluding this project
  3. Save the scan execution policy
  4. Edit the same scan execution policy
  5. Change except project to without exceptions, notice the YAML does not update and the project remains excluded
  6. Save the scan execution policy changes
  7. Edit the same scan execution policy again
  8. Notice that the change to without exceptions is not reflected in the UI and the YAML

Example Project

Public Group: https://gitlab.com/tloughlin_ultimate_group/public/public-example-organisation

Merge Request creating the policy and excluding py-app: tloughlin_ultimate_group/public/public-example-organisation/public-example-organisation-security-policy-project!1 (merged)

Merge Request editing the policy and changing except project to without exceptions: tloughlin_ultimate_group/public/public-example-organisation/public-example-organisation-security-policy-project!2 (Notice there are no changes in the MR! ^)

What is the current bug behavior?

Changing except project to without exceptions in the scan execution policy editor does not update the YAML accordingly and does not save changes. Users now have to modify the YAML directly, or alternatively they can uncheck each of the previously excluded projects before changing except project to without exceptions for the policy.

What is the expected correct behavior?

Changing this field in the UI should update the YAML accordingly.

Relevant logs and/or screenshots

Screenshot image Shows how except project was changed to without exceptions, but the YAML still shows the excluded project.

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes

Edited by Thomas Loughlin