Disallowing invalid control fuzz testing

Hitesh Raghuvanshirequested to merge
553102-disallow-controls into master

What does this MR do and why?

This MR prevents the creation and usage of invalid compliance controls, specifically the scanner_fuzz_testing_running control which doesn't function correctly in compliance framework status reports.

The fuzz testing control was not showing results in the compliance status report, causing incorrect compliance status calculations. This fix:

  • Adds validation to prevent creating new controls with invalid names (currently scanner_fuzz_testing_running)
  • Filters out existing invalid controls from compliance requirement queries
  • Removes the fuzz testing control from the default controls configuration

This ensures compliance frameworks only use working controls and display accurate compliance status.

This is the first step as per the implementation plan at #553102

References

Screenshots or screen recordings

Fuzz testing control which was already added to any requirement will vanish after this

Before After
image image

How to set up and validate locally

  1. For this you need to have a group with Ultimate license.
  2. Checkout the master branch first, for testing the case when the fuzz testing control is already present for a requirement.
  3. Create a framework in the group, by visiting left sidebar, Secure -> Compliance Center -> Frameworks tab.
  4. In the framework, create a requirement and add atleast 2 internal controls, Fuzz testing running and API security running, if you want you can add more.
  5. Now when you view the framework, both the controls should be visible.
  6. Now switch to the branch of this MR 553102-disallow-controls.
  7. Visit the framework again, on opening the requirements for the framework, you will not see the Fuzz testing running control.
  8. Testing:
    1. You can add one more internal control to the same requirement, it should get added without any errors.
    2. Add another requirement in the framework and add another internal control to it, try searching for fuzz testing in the controls list, it should not be present there.
    3. You can open up the graphql explorer http://host.docker.internal:3000/-/graphql-explorer and try adding the control via following api to the requirement, it should give an error saying Invalid name for the compliance control scanner_fuzz_testing_running 
mutation createControl {
  createComplianceRequirementsControl(input: {
    complianceRequirementId: "gid://gitlab/ComplianceManagement::ComplianceFramework::ComplianceRequirement/<id>",
    params: {
      name: "scanner_fuzz_testing_running",
      expression: "{\"field\":\"scanner_fuzz_testing_running\",\"operator\":\"=\",\"value\":true}",
      controlType: "internal"
    }
  }) {
    requirementsControl {
      id
      expression
      controlType
      name
    }
    errors
  }
}

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Hitesh Raghuvanshi

Merge request reports