Draft: Add worker to update mr approvals for updated enrichments

Marcos Rocharequested to merge
mc_rocha-worker-refresh-mr-approvals-updated-package-metadata into master

What does this MR do and why?

This MR adds a new worker to update MR approvals for policy with enrichment filters.

References

Related to: #585514

Screenshots or screen recordings

Before the update After the update
Screenshot_2026-01-26_at_5.03.01_PM Screenshot_2026-01-26_at_6.12.09_PM

How to set up and validate locally

Prequisite:

./bin/rails runner 'PackageMetadata::CveEnrichmentSyncWorker.perform_async'

to verify the data has been synced, run the following from rails console, if it returns some number, the data has been synced.

PackageMetadata::CveEnrichment.count
  • Enable feature flag:
bin/rails runner "Feature.enable(:associate_security_findings_enrichment_records)"
bin/rails runner "Feature.enable(:security_policies_kev_filter)"
  1. Create a new project
  2. Go to Secure > Policies
  3. Click on New policy
  4. Select Merge request approval policy
  5. Create a policy to block vulnerabilities with epss_score greater than 0.2
approval_policy:
  - name: Security Scan - Newly Detected
    description: ""
    enabled: true
    rules:
      - type: scan_finding
        scanners:
          - dependency_scanning
        vulnerabilities_allowed: 0
        severity_levels: []
        vulnerability_states:
          - new_needs_triage
        branch_type: protected
        vulnerability_attributes:
          enrichment_data_unavailable:
            action: 'block'
          epss_score:
            operator: greater_than
            value: 0.2
          known_exploited: false
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - developer
          - maintainer
          - owner
      - type: send_bot_message
        enabled: true
    approval_settings:
      block_branch_modification: false
      prevent_pushing_and_force_pushing: false
      prevent_approval_by_author: false
      prevent_approval_by_commit_author: false
      remove_approvals_with_new_commit: false
      require_password_to_approve: false
    fallback_behavior:
      fail: closed
  1. Click on Create new project with the new policy
  2. Merge the MR to add the policy
  3. Go back to the project created on step 1
  4. Add a .gitlab-ci.yml with the content
include:
  - template: 'Jobs/Dependency-Scanning.gitlab-ci.yml'
  1. Create an MR adding a requirements.txt to introduce the CVE-2020-14343 using the content:
PyYAML==3.12
  1. Wait for the pipeline to finish
  2. Verify the MR is not blocked because the epss is lower than 0.2
  3. Simulate an update from a execution of PacakgeMetada::CveEnrichmentSyncWorker

in rails console update the PackageMetadata::CveEnrichment related to CVE-2020-14343

enrichment = PackageMetadata::CveEnrichment.by_cves('CVE-2020-14343').first
enrichment.epss_score = 0.21
enrichment.save!
  1. Trigger the Security::SyncFindingEnrichmentWorker
  2. Wait the worker execution to complete and verify the MR is now blocked because the updated epps is greater than 0.2

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports