<details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Work on this issue](https://contributors.gitlab.com/manage-issue?action=work&projectId=278964&issueIid=485051) - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=485051) </details> ### Summary The SEP variables builder may not assign the correct policy variables in the case of multiple rule schedules or multiple policies with different trigger types. **This issue also covers the scenario described in #562039:** Variables defined in one SEP (e.g., scheduled) can incorrectly override variables in a different policy (e.g., triggered), causing pipelines to use wrong variable values. ### Steps to reproduce #### Scenario 1: Multiple rule schedules (original issue) 1. Create a new project, navigate to `Secure > Policies` and create 2 **scan execution policies** of `type: schedule`. Example `policy.yml`: ```yaml scan_execution_policy: - name: Periodic Policy A enabled: true rules: - type: schedule branch_type: default cadence: 0 0 * * * actions: - scan: secret_detection - name: Periodic Policy B description: '' enabled: true rules: - type: schedule branch_type: default cadence: 0 0 * * * actions: - scan: container_scanning approval_policy: [] ``` 2. Set a breakpoint in `Variables::Builder::ScanExecutionPolicies`: ```diff diff --git a/ee/lib/ee/gitlab/ci/variables/builder/scan_execution_policies.rb b/ee/lib/ee/gitlab/ci/variables/builder/scan_execution_policies.rb index c9d712a124c5..2b265ded830a 100644 --- a/ee/lib/ee/gitlab/ci/variables/builder/scan_execution_policies.rb +++ b/ee/lib/ee/gitlab/ci/variables/builder/scan_execution_policies.rb @@ -19,6 +19,8 @@ def variables(job_name) ::Gitlab::Ci::Variables::Collection.new.tap do |variables| next variables unless enforce_scan_execution_policies_variables?(job_name) + binding.pry_shell + variables_for_job(job_name).each do |key, value| variables.append(key: key, value: value.to_s) end ``` 3. Manually execute the second rule schedule that should run Container Scanning: ```rb user = User.find(1) project = Project.find(PROJECT_ID) config = project.all_security_orchestration_policy_configurations.first sched = config.rule_schedules.last Security::SecurityOrchestrationPolicies::RuleScheduleService .new(project: project, current_user: user) .execute(sched) ``` 4. At the breakpoint, the `job_name` is `container-scanning-0`, but the return value of `#active_scan_variables` has no such key: ``` [1] pry(#<EE::Gitlab::Ci::Variables::Builder::ScanExecutionPolicies>)> active_scan_variables => {:"secret-detection-0"=> {"SECRET_DETECTION_HISTORIC_SCAN"=>"false", "SECRET_DETECTION_EXCLUDED_PATHS"=>""}, :"container-scanning-1"=>{}} [2] pry(#<EE::Gitlab::Ci::Variables::Builder::ScanExecutionPolicies>)> job_name => "container-scanning-0" [3] pry(#<EE::Gitlab::Ci::Variables::Builder::ScanExecutionPolicies>)> active_scan_variables[job_name.to_sym] => nil ``` #### Scenario 2: Variables overridden across policies (from #562039) 1. Create a new project 2. Apply a **scheduled SEP** with `GITLAB_ADVANCED_SAST_ENABLED` = `true` 3. Apply a **triggered SEP** and set the same variable to `false` 4. Make a commit - the triggered SEP job incorrectly uses the value from the scheduled policy (`true`) instead of its own value (`false`) ### Root Cause The mismatching keys and variable overrides stem from the [builder reading all active scan actions](https://gitlab.com/gitlab-org/gitlab/-/blob/71316a21bdc681c1237f1c9636953bbd70dd53b2/ee/lib/ee/gitlab/ci/variables/builder/scan_execution_policies.rb#L51), but the pipeline being created only for a subset of the scan actions (the specific rule schedule or trigger type). ### Example Project - Scenario 2: https://gitlab.com/gitlab-org/security-risk-management/security-policies/team-member-environment/sashis-test-group/test-sep-advanced-sast/project-a ### What is the current *bug* behavior? - Job variables incorrectly assigned (wrong job name index) - Variables from one policy override variables in another policy ### What is the expected *correct* behavior? - Job variables correctly assigned to matching job names - Each policy's variables should only apply to jobs created by that policy ### Relevant logs and/or screenshots n/a ### Output of checks #### Results of GitLab environment info n/a #### Results of GitLab application Check n/a ### Possible fixes/Implementation Plan https://gitlab.com/gitlab-org/gitlab/-/merge_requests/182889