Update uuid for security policy dismissals

Marcos Rocharequested to merge
mc_rocha-update-uuid-security-policy-dismissals into master

What does this MR do and why?

In MR !210792 (merged), we started persisting license_finding violation data when a policy in warn mode is dismissed/bypassed. However, this information is insufficient to link a policy dismissal to an occurrence in the dependency list. In this MR, we are adding a new task in IngestReportSliceService to update the policy dismissals with the occurrence UUID.

We want to use this information to:

  • Indicate in the dependency list which dependency was introduced after dismissing a security policy.
  • Filter dependencies introduced after a policy dismissal.

References

Related to: #570791 (closed), #562185 (closed), #561600 (closed)

How to set up and validate locally

  1. Enable the feature flag security_policy_warn_mode_license_scanning
Feature.enable(:security_policy_warn_mode_license_scanning)
  1. Create a new project
  2. Add a .gitlab-ci.yml file with the content
include:
  - template: Jobs/Dependency-Scanning.v2.gitlab-ci.yml
  1. Go to Secure > Policies
  2. Click on New policy
  3. Select Merge request approval policy
  4. Create a new policy with the enforcement_type: warn to deny MIT Licenses
approval_policy:
  - name: Deny MIT
    description: ''
    enabled: true
    enforcement_type: warn
    rules:
      - type: license_finding
        match_on_inclusion_license: true
        license_types:
          - MIT License
        license_states:
        - newly_detected
        branch_type: protected
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - developer
      - type: send_bot_message
        enabled: true
  1. Click on Create new project with new policy
  2. Merge the new MR to add the policy
  3. Create a new MR adding a Gemfile.lock file with the following content:
GEM
  remote: https://rubygems.org/
  specs:
    rack (3.0.4.1)

PLATFORMS
  arm64-darwin-22

DEPENDENCIES
  rack

BUNDLED WITH
   2.4.22
  1. Verify that the policy blocked the MR
  2. Gather the data to dismiss the policy using a GraphQL query
project_path = Project.second_to_last.full_path
mr_iid = MergeRequest.last.iid
policy_id = Security::Policy.last.id
  1. Go to /-/graphql-explorer and dismiss the policy using the query
mutation DismissPolicyViolations($projectPath: ID!, $mergeRequestIid: String!, $securityPolicyIds: [ID!]!, $dismissalTypes: [DismissalType!]!, $comment: String!) {
  dismissPolicyViolations(input: {
    projectPath: $projectPath,
    iid: $mergeRequestIid,
    securityPolicyIds: $securityPolicyIds,
    dismissalTypes: $dismissalTypes,
    comment: $comment
  }) {
    errors
  }
}


{
  "projectPath": "project_path",
  "mergeRequestIid": "mr_iid",
  "securityPolicyIds": [policy_id],
  "dismissalTypes": ["SCANNER_FALSE_POSITIVE"],
  "comment": "false positive"
}
  1. Merge the MR
  2. Go to Secure > Dependency list and verify the dependency introduced by the MR was processed
  3. Verify the license the policy dismissal contains the license_occurrence_uuids 
Security::PolicyDismissal.last
=> #<Security::PolicyDismissal:0x00000001425501e8
 id: 11,
 created_at: Mon, 17 Nov 2025 15:01:55.035529000 UTC +00:00,
 updated_at: Mon, 17 Nov 2025 15:02:19.709246000 UTC +00:00,
 project_id: 242,
 merge_request_id: 518,
 security_policy_id: 155,
 user_id: 1,
 security_findings_uuids: [],
 dismissal_types: [1],
 comment: "false positive",
 status: "preserved",
 licenses: {"MIT License" => ["rack"]},
 license_occurrence_uuids: ["76bb33f3-66ae-53b2-b68d-aecdea62335a"]>

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Marcos Rocha

Merge request reports