Filter dependencies dismissed by policies at project level

Marcos Rocharequested to merge
mc_rocha-filter-dependencies-dismissed-by-security-policies into master

What does this MR do and why?

This MRs adds GraphQL support to filter dependencies dismissed by security policies at project level.

Queries:

The scope for_license_occurrence_uuids was introduced by MR !210371 (merged)

SELECT DISTINCT
    unnest(license_occurrence_uuids)
FROM
    "security_policy_dismissals"
WHERE (license_occurrence_uuids && ARRAY['3029060e-5ffe-506b-ba0f-db469d5bcdf8', 'bca97c9a-6aa7-5815-8326-676b3cbe286f', '79533971-998f-511d-8fe5-53a8c8f6bcdf']::text[])
    AND "security_policy_dismissals"."status" = 1

Query plan:

https://postgres.ai/console/gitlab/gitlab-production-main/sessions/46074/commands/140833

This is a new feature. We don't have data in production yet.

References

Related to: #580545 (closed)

Screenshots or screen recordings

Screenshot_2025-11-25_at_12.54.19_PM

How to set up and validate locally

  1. Enable the feature flag security_policy_warn_mode_license_scanning
Feature.enable(:security_policy_warn_mode_license_scanning)
  1. Create a new project
  2. Add a .gitlab-ci.yml file with the content
include:
  - template: Jobs/Dependency-Scanning.v2.gitlab-ci.yml
  1. Go to Secure > Policies
  2. Click on New policy
  3. Select Merge request approval policy
  4. Create a new policy with the enforcement_type: warn to deny MIT Licenses
approval_policy:
  - name: Deny MIT
    description: ''
    enabled: true
    enforcement_type: warn
    rules:
      - type: license_finding
        match_on_inclusion_license: true
        license_types:
          - MIT License
        license_states:
        - newly_detected
        branch_type: protected
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - developer
      - type: send_bot_message
        enabled: true
  1. Click on Create new project with new policy
  2. Merge the new MR to add the policy
  3. Create a new MR adding a Gemfile.lock file with the following content:
GEM
  remote: https://rubygems.org/
  specs:
    rack (3.0.4.1)

PLATFORMS
  arm64-darwin-22

DEPENDENCIES
  rack

BUNDLED WITH
   2.4.22
  1. Verify that the policy blocked the MR
  2. Gather the data to dismiss the policy using a GraphQL query
project_path = Project.second_to_last.full_path
mr_iid = MergeRequest.last.iid
policy_id = Security::Policy.last.id
  1. Go to /-/graphql-explorer and dismiss the policy using the query
mutation DismissPolicyViolations($projectPath: ID!, $mergeRequestIid: String!, $securityPolicyIds: [ID!]!, $dismissalTypes: [DismissalType!]!, $comment: String!) {
  dismissPolicyViolations(input: {
    projectPath: $projectPath,
    iid: $mergeRequestIid,
    securityPolicyIds: $securityPolicyIds,
    dismissalTypes: $dismissalTypes,
    comment: $comment
  }) {
    errors
  }
}


{
  "projectPath": "project_path",
  "mergeRequestIid": "mr_iid",
  "securityPolicyIds": [policy_id],
  "dismissalTypes": ["SCANNER_FALSE_POSITIVE"],
  "comment": "false positive"
}
  1. Merge the MR
  2. Go to Secure > Dependency list and verify the dependency introduced by the MR was processed
  3. Go to /-/graphql-explorer and use the query below to filter the dependency dismissed by the security policy
{
  project(fullPath: "<project>-<fullPath>") {
    name
    dependencies(policyViolations: [DISMISSED_IN_MR]) {
      nodes{
        id
        name
        packager
      }
    }
  }
}

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Marcos Rocha

Merge request reports