Skip to content

Fix policy bot comment for competing approval rules

Martin Čavoj requested to merge mc/fix-mixed-scan-finding-bot-comment-notifications into master

What does this MR do and why?

This MR fixes wrong policy bot comment in certain situations. With feature flag security_policies_sync_preexisting_state enabled and two active policies, one targeting previously existing and one targeting newly detected vulnerabilities, the bot message could be incorrect due to a race condition between the two policies with the same rule type (scan_finding).

Related to #425482 (closed).

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Ensure that feature flag security_policies_sync_preexisting_state is enabled. In rails console, run: 
    Feature.enable(:security_policies_sync_preexisting_state)
  2. Add .gitlab-ci.yml into the project 
    include:
    - template: Security/Container-Scanning.gitlab-ci.yml
      - template: Security/Secret-Detection.gitlab-ci.yml

job:
  script: echo 'test'

container_scanning:
  variables:
    CS_IMAGE: 'citizenstig/dvwa:latest'
  3. Go to Secure -> Policies and create two Merge request approval policies.
  4. First policy targeting new vulnerabilities: 
    type: approval_policy
name: New vulnerabilities
description: ''
enabled: true
rules:
  - type: scan_finding
    scanners:
      - secret_detection
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states: []
    branch_type: protected
actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
      - developer
approval_settings:
  block_branch_modification: false
  prevent_pushing_and_force_pushing: false
  5. Second policy targeting previously existing vulnerabilities: 
    type: approval_policy
name: Pre-Existing Vulnerabilities
description: ''
enabled: true
rules:
  - type: scan_finding
    scanners:
      - container_scanning
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states:
      - confirmed
      - dismissed
      - resolved
      - detected
    branch_type: protected
actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
      - developer
approval_settings:
  block_branch_modification: false
  prevent_pushing_and_force_pushing: false
  6. With the policies merged and active, create MR by updating README.md
  7. Pre-existing vulnerabilities will be evaluated before the pipeline finishes and a policy bot message should appear
  8. Verify that the message doesn't get updated to "resolved" when the pipeline finishes.
Edited by Martin Čavoj

Merge request reports