Skip to content

Search only descendant groups when applicable

Alexander Turinskerequested to merge
378234-retrieve-descendant-groups into master

What does this MR do and why?

Describe in detail what your merge request does and why.

Search only descendant groups when applicable

  • use new setting to trigger to only search in descendant groups

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Status of :security_policy_global_group_approvers_enabled Policy Drawer Group Select
true Screenshot_2023-03-05_at_17.17.39 Screenshot_2023-03-05_at_17.19.55
false Screenshot_2023-03-05_at_17.19.07 Screenshot_2023-03-05_at_17.19.19

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Disable the application setting, which is enabled by default: echo "Gitlab::CurrentSettings.update_attribute(:security_policy_global_group_approvers_enabled, false)" | rails c
  2. Create a new group nameless-bird
  3. Add any member to the group and assign the "Developer" role
  4. Create another top-level group purple-frog
  5. Create a new subgroup purple-frog/nameless-bird
  6. Add any other member to the subgroup and assign the "Developer" role
  7. Create a new project purple-frog/nameless-bird/example
  8. Within the project, navigate to Security & Compliance > Policies, click "New policy" and create a new Scan Result Policy:
type: scan_result_policy
name: Dependency Scanning
description: ''
enabled: true
rules:
  - type: scan_finding
    branches: []
    scanners:
      - dependency_scanning
    vulnerabilities_allowed: 0
    severity_levels:
      - critical
      - high
      - medium
      - low
      - unknown
      - info
    vulnerability_states:
      - newly_detected
      - detected
      - confirmed
      - dismissed
      - resolved
actions:
  - type: require_approval
    approvals_required: 1
    group_approvers: ["nameless-bird"]
  1. Within the project, navigate to Security & Compliance > Policies, click on the "Dependency Scanning" policy and verify that the sidebar lists only purple-frog/nameless-bird as approvers
  2. Create a new MR that adds Gemfile.lock with the following contents:
GEM
  remote: https://rubygems.org/
  specs:
    rack (0.1.0)

PLATFORMS
  x86_64-darwin-20

DEPENDENCIES
  rack (= 0.1.0)

BUNDLED WITH
   2.3.22
  1. Verify that the merge request approval rules lists members from purple-frog/nameless-bird, not the top-level nameless-bird

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #378234 (closed)

Edited by Alexander Turinske

Merge request reports