Stop blocking pre-existing policy rules as unenforceable

Martin Cavojrequested to merge
503171-approval-policy-rules-with-pre-existing-states-should-not-create-unenforceable-notification into master

What does this MR do and why?

Stop blocking pre-existing policy rules as unenforceable.

Currently we're triggering a policy bot comment for unenforceable rules via UnenforceablePolicyRulesNotificationService to display configuration errors to the user. These are based on missing scans in the pipeline.

Pre-existing policy rules are evaluated separately and don't require pipeline to be evaluated. We shouldn't include them in this evaluation, otherwise they conflict with the SyncPreexistingStatesApprovalRulesWorker and cause approvals to be reset, even if there is no policy violation of the pre-existing rules.

The bug was caused by a change in !168222 (merged) that causes unenforceable rules to have their approvals to be reset. Although this is correct, rules with pre-existing states shouldn't be considered as unenforceable in the first place. Before the MR, the reset was happening only behind a feature flag, so the bug was hidden by that.

References

Please include cross links to any resources that are relevant to this MR This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
CleanShot_2024-11-07_at_14.19.02_2x CleanShot_2024-11-07_at_14.17.29_2x

How to set up and validate locally

  1. Create a project
  2. Create a scan_finding policy which only targets pre-existing vulnerabilities: 
    type: approval_policy
name: Security Approval
description: ''
enabled: true
rules:
  - type: scan_finding
    scanners: []
    vulnerabilities_allowed: 0
    severity_levels:
      - high
      - critical
    vulnerability_states:
      - confirmed
      - detected
    branch_type: protected
  - type: scan_finding
    scanners: []
    vulnerabilities_allowed: 0
    severity_levels:
      - medium
    vulnerability_states:
      - confirmed
      - detected
    branch_type: protected
actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
      - developer
  - type: send_bot_message
    enabled: true
approval_settings:
  block_branch_modification: false
  prevent_pushing_and_force_pushing: false
  prevent_approval_by_author: false
  prevent_approval_by_commit_author: false
  remove_approvals_with_new_commit: false
  require_password_to_approve: false
fallback_behavior:
  fail: closed
  3. Create a .gitlab-ci.yml with a simple job and don't include any security scanners: 
    project-job:
  stage: test
  script:
    - 'sleep 10 && echo "Test"'
  4. Update README.md
  5. Verify that MR is not blocked by the policy rules

Related to #503171 (closed)

Edited by Martin Cavoj

Merge request reports