Add dependency management security update scheduler (!224996) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

The scheduler is in charge of organizing the order of remediation for a project. It calls the vulnerable occurrences finder so that it first tries to retrieve the occurrences with the most severe findings. It then filters out any occurrences that cannot be remediated, and exits out early if it reaches the max open merge request count at any point.

EE: true

Signed-off-by: Oscar Alberto Tovar otovar@gitlab.com

Change-Id: kznsunruotqtzkxsnqvqmxqvopzvsrty

Note on remediation count : The SchedulerService currently tracks remediation_count only within the scope of a single run (in-memory counter). It does not account for already-open remediation MRs from previous runs. This is called out as a TODO in the code - see #594095 for the follow-up to incorporate currently_open_remediation_count once MR tracking is implemented. Until then, the hard cap of 3 (MAX_OPEN_MERGE_REQUEST_LIMIT) applies per scheduler invocation, not globally.

Stacked Diffs

master
- Add security update workload creation service (!223849 - merged)
  - Add dependency management security update sched... (!224996 - merged)
  - Add Dependency Management Service Account Service (!228340)
    - Add dep. management security update merge reque... (!225540)
      - auto remediation merge request creation worker

References

Relates to Implement the update scheduler worker and service (#583114)

Queries

Preload findings for vulnerabilities (`with_vulnerabilities_and_findings` scope)

The only new query introduced by this MR. The base finder queries (initial query and batch fetch) are unchanged from !223798 (merged) where they were already approved. This is the preload(vulnerabilities: :findings) query that Rails fires per batch to avoid N+1 when accessing vulnerability.findings:

Query plan

Click to expand

select "vulnerability_occurrences".*
from "vulnerability_occurrences"
where "vulnerability_occurrences"."vulnerability_id" in (
    select "vulnerabilities"."id"
    from "vulnerabilities"
    inner join "sbom_occurrences_vulnerabilities"
        on "vulnerabilities"."id" = "sbom_occurrences_vulnerabilities"."vulnerability_id"
    where "sbom_occurrences_vulnerabilities"."sbom_occurrence_id" in (
        select "sbom_occurrences"."id"
        from "sbom_occurrences"
        inner join "sbom_occurrences_vulnerabilities"
            on "sbom_occurrences_vulnerabilities"."sbom_occurrence_id" = "sbom_occurrences"."id"
        inner join "vulnerabilities"
            on "vulnerabilities"."id" = "sbom_occurrences_vulnerabilities"."vulnerability_id"
        where "sbom_occurrences"."traversal_ids" = '{9970}'
            and "sbom_occurrences"."archived" = false
            and "sbom_occurrences"."project_id" = 278964
            and "sbom_occurrences"."package_manager" = 'yarn'
            and "sbom_occurrences"."highest_severity" = 6
            and "vulnerabilities"."state" in (1, 4)
            and "sbom_occurrences"."component_version_id" is not null
        order by "sbom_occurrences"."id" asc
        limit 100
    )
);

Screenshots or screen recordings

How to set up and validate locally

This service is not directly invocable from the UI or a web endpoint. It is designed to be called by a background worker after SBOM ingestion completes.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited Mar 30, 2026 by Albina Yusupova

Add dependency management security update scheduler