Disabling scan result policy does not refresh MR approval rules
### Summary Disabled a scan result policy that is the only policy for a project/group, the MRs that already have the approval rules applied, were not refreshed. ### Steps to reproduce - Create only 1 scan result policy for a project - Create MR that violates the policy and check if approval is required - Disable the policy - Verify in MR that the approval is not removed ### Example Project https://gitlab.com/gitlab-org/govern/security-policies/sashis-test-group/perf-test/-/merge_requests/3 ### What is the current *bug* behavior? MR approvals are not refreshed after the policy is disabled #### Policy ![Screenshot_2023-05-25_at_7.16.18_PM](/uploads/6a89823f58511179276485b0b4085442/Screenshot_2023-05-25_at_7.16.18_PM.png) #### MR ![Screenshot_2023-05-25_at_7.17.01_PM](/uploads/7511d4503de299925c377b209a3378a9/Screenshot_2023-05-25_at_7.17.01_PM.png) ### What is the expected *correct* behavior? MR approvals should be refreshed after the policy is disabled ### Relevant logs and/or screenshots <!-- Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's tough to read otherwise. --> ### Output of checks <!-- If you are reporting a bug on GitLab.com, uncomment below --> <!-- This bug happens on GitLab.com --> <!-- /label ~"reproduced on GitLab.com" --> #### Results of GitLab environment info <!-- Input any relevant GitLab environment information if needed. --> <details> <summary>Expand for output related to GitLab environment info</summary> <pre> (For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`) </pre> </details> #### Results of GitLab application Check <!-- Input any relevant GitLab application check information if needed. --> <details> <summary>Expand for output related to the GitLab application check</summary> <pre> (For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:check SANITIZE=true`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true`) (we will only investigate if the tests are passing) </pre> </details> ### Possible fixes - [ ] ~backend Update `Security::ProcessScanResultPolicyWorker` to remove the early return if `active_scan_result_policies` are empty ```diff diff --git a/ee/app/workers/security/process_scan_result_policy_worker.rb b/ee/app/workers/security/process_scan_result_policy_worker.rb index 1a54935a3add..46e1e428deb2 100644 --- a/ee/app/workers/security/process_scan_result_policy_worker.rb +++ b/ee/app/workers/security/process_scan_result_policy_worker.rb @@ -17,7 +17,6 @@ def perform(project_id, configuration_id) return unless project && configuration active_scan_result_policies = configuration.active_scan_result_policies - return if active_scan_result_policies.empty? sync_policies(project, configuration, active_scan_result_policies) ``` <!-- If you can, link to the line of code that might be responsible for the problem. -->
issue