Skip to content

Refactor policy rule evaluation and unblock rules with SEP scanners

Martin Čavojrequested to merge
490092-account-for-configured-scan-execution-policies-when-scan-is-missing-in-merge-request into master

What does this MR do and why?

This change removes duplication of policy rule evaluation logic by introducing a new PolicyRuleEvaluationService to take care of:

  • resetting required approvals for violated rules
  • removing required approvals for unviolated rules
  • (new) unblocking rules with scanners covered by existing SEP
  • updating merge request violations
  • posting the bot comment

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Create a project
  2. Create multiple policies:
    1. Scan finding with new statuses for selected scanner (e.g. dependency scanning)
    2. Scan finding with previously existing statuses for selected scanner (e.g. dependency scanning)
    3. License scanning
    4. Scan execution policy with the same selected scanner (e.g. dependency scanning)
  3. Create MR in the project
  4. Verify that the rule doesn't require approvals if there's a scan execution policy defined for the same scanner (even though the job doesn't run due to missing Gemfile.lock, package.json, etc.)
  5. Change scanner in SEP to something else
  6. Verify that approvals are required
  7. Approvals should still be required for "previously existing" statuses
  8. Verify that license scanning rule gets unblocked when there's a SEP with dependency_scanning
Edited by Martin Čavoj

Merge request reports