Add AutoDismissService for auto-dismiss policies
What does this MR do and why?
Add AutoDismissService for auto-dismiss policies.
Automatic dismissal of vulnerabilities need to be integrated with vulnerability ingestion. We introduce a service that will be later called from a worker based on an event.
The service is largely based on the existing AutoResolveService, so we're introducing a base service to extract the common methods between the two services, removing the duplication.
References
- Depends on Extend schema and models to support auto-dismis... (!213920 - merged)
- PoC: !211112 (closed)
Database queries
Queries are largely the same as in Vulnerabilities::AutoResolveService added in Add AutoResolveService to automatically resolve... (!172161 - merged) and Auto-resolve vulnerabilities based on vulnerabi... (!173437 - merged).
In the new service, we're updating the state to dismissed instead of resolved. The only difference is that we're batching inside the AutoDismissService, whereas for AutoResolveService, the batching happens in MarkAsResolvedService.
- Get vulnerability state: https://console.postgres.ai/gitlab/gitlab-production-main/sessions/33607/commands/103466
- Create state transitions: https://console.postgres.ai/gitlab/gitlab-production-main/sessions/33607/commands/103465
- Update vulnerabilities: https://console.postgres.ai/gitlab/gitlab-production-main/sessions/33607/commands/103467
- Create notes: https://console.postgres.ai/gitlab/gitlab-production-main/sessions/33607/commands/103468
A new query:
project.vulnerability_management_policies.auto_dismiss_policies.including_rules:
SELECT "security_policies".* FROM "security_policies" INNER JOIN "security_policy_project_links" ON "security_policies"."id" = "security_policy_project_links"."security_policy_id" WHERE "security_policy_project_links"."project_id" = 56649822 AND "security_policies"."type" = 3 AND "security_policies"."type" = 3 AND (policy_index >= 0) AND "security_policies"."enabled" = TRUE AND (content -> 'actions' @> '[{"type":"auto_dismiss"}]')
SELECT "vulnerability_management_policy_rules".* FROM "vulnerability_management_policy_rules" WHERE vulnerability_management_policy_rules"."security_policy_id" IN (782, 783, 790)- https://console.postgres.ai/gitlab/gitlab-production-main/sessions/45952/commands/140594
- The subsequent query generated by
including_rulesusing a subquery in"security_policy_id" IN (SELECT id FROM security_policies ORDER BY id DESC LIMIT 2), as I wasn't able to get the IDs of the fabricated auto-dismiss policies: https://console.postgres.ai/gitlab/gitlab-production-main/sessions/45952/commands/140605
How to set up and validate locally
- In rails console enable the feature flag
Feature.enable(:auto_dismiss_vulnerability_policies) - Create a project
- Create an auto-dismiss policy:
vulnerability_management_policy: - name: Auto-dismiss acceptable secrets description: Auto-dismiss secrets enabled: true actions: - type: auto_dismiss dismissal_reason: not_applicable rules: - type: detected criteria: - type: file_path value: ".env" - Add
.gitlab-ci.ymlwith secret detectioninclude: - template: Jobs/Secret-Detection.latest.gitlab-ci.yml - Add two secrets in the
mainbranch:-
.env:AWS_TOKEN=AKIAZYONPI3G4JNCCWGQ -
.env2:AWS_TOKEN=AKIAZYONPI3G4JNCCWGA
-
- Wait until the pipeline on
mainfinishes and you can see the two vulnerabilities in the Vulnerability Report. Notice the IDs of the two vulnerabilities. - In the rails console, run the service manually, passing the latest pipeline ID and the two vulnerability IDs:
Vulnerabilities::AutoDismissService.new(Ci::Pipeline.find(<pipeline_id>), [vuln_1_id, vuln_2_id]).execute - Refresh the Vulnerability Report and verify that the secret from
.envgot dismissed and there is an activity comment stating the details.
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #581377