Skip to content

Fix required approvals for mixed policies

Martin Čavoj requested to merge mc/fix-mixed-states-in-policy into master

What does this MR do and why?

This MR fixes a scenario where approvals wouldn't be required if policies mix new and previously existing vulnerability statuses and the source pipeline doesn't introduce any new vulnerabilities.

Here is an example project where the issue is reproduced: gitlab-org/govern/security-policies/martins-test-group/mixed-policies!3

  • There is a policy that should require approvals for previously existing vulnerabilities
  • There is a vulnerability under Secuire -> Vulnerability Report
  • Approvals are optional

I refactored the specs to flatten the unnecessary contexts and try to make it clearer in the tests which code path is tested.

There are optimizations of the tests included from !145504 (merged), so there will be potential conflicts in these specs.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Create a project
  2. Add CI configuration: 
    include:
  - template: Jobs/Secret-Detection.gitlab-ci.yml

build-job:
  script:
    - echo "Compiling the code..."
    - echo "Compile complete."
  3. Create a policy that requires all vulnerability_states. Example: 
    type: approval_policy
name: Scans
description: ''
enabled: true
rules:
  - type: scan_finding
    scanners: []
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states:
      - new_needs_triage
      - new_dismissed
      - detected
      - confirmed
      - dismissed
      - resolved
    branch_type: protected
actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
      - developer
  4. Create MR and introduce a vulnerability in the project and merge it. Example: 
    diff --git a/.env b/.env
new file mode 100644
index 0000000000000000000000000000000000000000..ee4bf74ac3b632173dafc09e74ecd68c298bdfa1
--- /dev/null
+++ b/.env
@@ -0,0 +1 @@
+AWS_TOKEN=AKIAZYONPI3G4JNCCWGQ
\ No newline at end of file
  5. Create MR that updates README and doesn't introduce any new vulnerabilities
  6. Verify that approvals are required
Edited by Martin Čavoj

Merge request reports