Propagate scan result rules related attributes
What does this MR do and why?
Current state: Source rules can be null if project approval rules are deleted or recreated. Blocking MR as those approvals won't be dismissed.
Proposed solution: Propagate scan result rules related attributes to the merge request level. This covers the case of orphan rules and will allow for the removal of logic related to approval project rule as a follow-up.
Report here: https://gitlab.com/gitlab-com/account-management/emea/travis-perkins/tp-pov/-/issues/18#note_967925201
Migration
$ bundle exec rails db:rollback:main
WARNING: This version of GitLab depends on gitlab-shell 14.7.1, but you're running 14.3.0. Please update gitlab-shell.
main: == 20220601223501 AddVulnerabilityRelatedColumns: reverting ===================
main: -- remove_column(:approval_merge_request_rules, :vulnerability_states, :text, {:array=>true, :null=>false, :default=>["newly_detected"]})
main: -> 0.0065s
main: -- remove_column(:approval_merge_request_rules, :severity_levels, :text, {:array=>true, :null=>false, :default=>[]})
main: -> 0.0007s
main: -- remove_column(:approval_merge_request_rules, :vulnerabilities_allowed, :integer, {:limit=>2, :null=>false, :default=>0})
main: -> 0.0007s
main: -- remove_column(:approval_merge_request_rules, :scanners, :text, {:array=>true, :null=>false, :default=>[]})
main: -> 0.0006s
main: == 20220601223501 AddVulnerabilityRelatedColumns: reverted (0.0158s) ==========
$ bundle exec rails db:migrate
WARNING: This version of GitLab depends on gitlab-shell 14.7.1, but you're running 14.3.0. Please update gitlab-shell.
main: == 20220601223501 AddVulnerabilityRelatedColumns: migrating ===================
main: -- add_column(:approval_merge_request_rules, :scanners, :text, {:array=>true, :null=>false, :default=>[]})
main: -> 0.0053s
main: -- add_column(:approval_merge_request_rules, :vulnerabilities_allowed, :integer, {:limit=>2, :null=>false, :default=>0})
main: -> 0.0013s
main: -- add_column(:approval_merge_request_rules, :severity_levels, :text, {:array=>true, :null=>false, :default=>[]})
main: -> 0.0010s
main: -- add_column(:approval_merge_request_rules, :vulnerability_states, :text, {:array=>true, :null=>false, :default=>["newly_detected"]})
main: -> 0.0011s
main: == 20220601223501 AddVulnerabilityRelatedColumns: migrated (0.0107s) ==========
Database-lab
exec ALTER TABLE approval_merge_request_rules
ADD vulnerability_states text[] NOT NULL DEFAULT '{newly_detected}'::text[];
Session: 10447
The query has been executed. Duration: 15.814 ms (edited)
exec ALTER TABLE approval_merge_request_rules
ADD severity_levels text[] NOT NULL DEFAULT '{}'::text[];
Session: 10447
The query has been executed. Duration: 2.813 ms
exec ALTER TABLE approval_merge_request_rules
ADD vulnerabilities_allowed smallint NOT NULL DEFAULT 0;
Session: 10447
The query has been executed. Duration: 11.137 ms
exec ALTER TABLE approval_merge_request_rules
ADD scanners text[] NOT NULL DEFAULT '{}'::text[];
Session: 10447
The query has been executed. Duration: 2.466 ms
How to set up and validate locally
- Create a security project as described in the docs
- Create a new scan result policy with the project owner (set scanners to anything but
container scanning
) - In rails console leave the following ready:
Project.find(<PROJECT-ID>).approval_rules.scan_finding.delete_all
- Push a new MR with
gitlab-ci.yml
the following changes:
include:
- template: Security/Container-Scanning.gitlab-ci.yml
variables:
DOCKER_IMAGE: python:3.4-alpine
- As soon as the MR is created, commit the changes typed (on step
3
) in rails console. - Prior to this change: Approval is required.
- After this change: Approval is not required.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Zamir Martins