Consider child pipelines for MR approval policies (!147710) · Merge requests · GitLab.org / GitLab

Sashi Kumar Kumaresan requested to merge sk/428591-child-pipelines into master Mar 22, 2024

What does this MR do and why?

This change updates the MR approval policies to consider child pipelines.

Database

Query

WITH RECURSIVE "base_and_descendants" AS (
		SELECT
			"ci_pipelines"."id"
		FROM
			"ci_pipelines"
		WHERE
			"ci_pipelines"."project_id" = 278964
			AND "ci_pipelines"."id" IN (687215962, 685462259, 685325240, 687005950)
	UNION (
		SELECT
			"ci_pipelines"."id"
		FROM
			"ci_pipelines",
			"base_and_descendants",
			"ci_sources_pipelines"
		WHERE
			"ci_sources_pipelines"."pipeline_id" = "ci_pipelines"."id"
			AND "ci_sources_pipelines"."source_pipeline_id" = "base_and_descendants"."id"
			AND "ci_sources_pipelines"."source_project_id" = "ci_sources_pipelines"."project_id"))
SELECT
	"ci_pipelines"."id"
FROM
	"base_and_descendants" AS "ci_pipelines";

Query Plan

 CTE Scan on base_and_descendants ci_pipelines  (cost=1185.27..1185.49 rows=11 width=4) (actual time=0.055..5.679 rows=12 loops=1)
   Buffers: shared hit=117 read=9
   I/O Timings: read=5.228 write=0.000
   CTE base_and_descendants
     ->  Recursive Union  (cost=0.58..1185.27 rows=11 width=4) (actual time=0.053..5.671 rows=12 loops=1)
           Buffers: shared hit=117 read=9
           I/O Timings: read=5.228 write=0.000
           ->  Index Only Scan using index_ci_pipelines_on_project_id_and_id_desc on public.ci_pipelines ci_pipelines_1  (cost=0.58..9.86 rows=1 width=4) (actual time=0.051..0.234 rows=4 loops=1)
                 Index Cond: ((ci_pipelines_1.project_id = 278964) AND (ci_pipelines_1.id = ANY ('{687215962,685462259,685325240,687005950}'::integer[])))
                 Heap Fetches: 0
                 Buffers: shared hit=22 read=1
                 I/O Timings: read=0.136 write=0.000
           ->  Nested Loop  (cost=1.15..117.52 rows=1 width=4) (actual time=0.550..2.710 rows=4 loops=2)
                 Buffers: shared hit=95 read=8
                 I/O Timings: read=5.092 write=0.000
                 ->  Nested Loop  (cost=0.57..115.44 rows=1 width=8) (actual time=0.531..1.492 rows=4 loops=2)
                       Buffers: shared hit=58 read=4
                       I/O Timings: read=2.781 write=0.000
                       ->  WorkTable Scan on base_and_descendants  (cost=0.00..0.20 rows=10 width=4) (actual time=0.000..0.002 rows=6 loops=2)
                             I/O Timings: read=0.000 write=0.000
                       ->  Index Scan using index_ci_sources_pipelines_on_source_pipeline_id on public.ci_sources_pipelines  (cost=0.57..11.51 rows=1 width=16) (actual time=0.247..0.247 rows=1 loops=12)
                             Index Cond: (ci_sources_pipelines.source_pipeline_id = base_and_descendants.id)
                             Filter: (ci_sources_pipelines.source_project_id = ci_sources_pipelines.project_id)
                             Rows Removed by Filter: 0
                             Buffers: shared hit=58 read=4
                             I/O Timings: read=2.781 write=0.000
                 ->  Index Only Scan using ci_pipelines_pkey on public.ci_pipelines ci_pipelines_2  (cost=0.58..2.08 rows=1 width=4) (actual time=0.303..0.303 rows=1 loops=8)
                       Index Cond: (ci_pipelines_2.id = ci_sources_pipelines.pipeline_id)
                       Heap Fetches: 0
                       Buffers: shared hit=37 read=4
                       I/O Timings: read=2.311 write=0.000

Time: 12.577 ms
  - planning: 6.785 ms
  - execution: 5.792 ms
    - I/O read: 5.228 ms
    - I/O write: 0.000 ms

Shared buffers:
  - hits: 117 (~936.00 KiB) from the buffer pool
  - reads: 9 (~72.00 KiB) from the OS file cache, including disk I/O
  - dirtied: 0
  - writes: 0

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Target branch's child pipeline

Source branch's child pipeline

Before (Feature disabled)	After (Feature enabled)

How to set up and validate locally

Create a project with security scans in child pipeline. https://gitlab.com/gitlab-org/govern/security-policies/sashis-test-group/test-child-pipeline-2 can be used as reference
Enable approval_policy_parent_child_pipeline feature flag for the project
Create MR approval policy that requires approval when a new vulnerability is detected

name: Require approval
description: ''
enabled: true
actions:
- type: require_approval
  approvals_required: 1
  group_approvers_ids:
  - <ID>
rules:
- type: scan_finding
  scanners: []
  vulnerabilities_allowed: 0
  severity_levels: []
  vulnerability_states:
  - new_needs_triage
  branch_type: protected
approval_settings:
  prevent_pushing_and_force_pushing: false

Create an MR that introduces a new vulnerability from the child pipeline's security job. Example MR: gitlab-org/govern/security-policies/sashis-test-group/test-child-pipeline-2!1
Observe that the MR requires approval as a new vulnerability was detected in the child pipeline.

Addresses #428591

Edited Mar 28, 2024 by Sashi Kumar Kumaresan

Consider child pipelines for MR approval policies