Scan result policy MR approval are not enforced when a security job is re-run manually
Summary
When an MR pipeline has security scan job that does not detect new vulnerabilities at the first run the scan result policy does not enforce approval as expected. When the same job is rerun and complete, the approvals are not enforced even when the job detects vulnerabilities that fails the policy condition. The same happens when a pipeline is retried or a new pipeline is triggered for the MR.
Steps to reproduce
-
Create a project, and create a new branch and make this branch a protected branch.
-
Create a second project that stores the vulnerabiliy report files.
Add these files to this project, at the begginting the content of the first two files are the same
gl-dependency-scanning-report.json
-
Add a scan result policy that requires approval when new vulnerabilities are detected:
name: Block Vulnerabilities description: '' enabled: true actions: - type: require_approval approvals_required: 1 user_approvers_ids: - 5250128 - 4770942 rules: - type: scan_finding scanners: [] vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: - new_needs_triage - new_dismissed branch_type: protected -
Add
.gitlab-ci.ymlfile to the new branch you created in Step 1 and execute the pipeline.semgrep-sast: stage: test script: - cp gl-sast-report_no_vulnerabilities.json gl-sast-report.json except: - tags artifacts: paths: - gl-sast-report.json reports: sast: - gl-sast-report.json gemnasium-maven-dependency_scanning: stage: test script: - 'curl -o gl-dependency-scanning-report.json "https://gitlab.com/gl-demo-ultimate-ramarilla/tests/vulnerabilities-project/-/raw/main/gl-dependency-scanning-report.json"' except: - tags artifacts: paths: - gl-dependency-scanning-report.json reports: dependency_scanning: - gl-dependency-scanning-report.json -
In the project of step 2, copy the content of gl-dependency-scanning-report_with_findings.json to
gl-dependency-scanning-report.jsonto include new vulnerabilities. -
Rerun the manual job.
Example Project
https://gitlab.com/gl-demo-ultimate-ramarilla/tests/security-policy-manual-re-run-job
https://gitlab.com/gl-demo-ultimate-ramarilla/tests/vulnerabilities-project
What is the current bug behavior?
Scan result policy MR approval are not enforced when a security job is re-run manually adding new vulnerabilities.
- Pipeline first run and no new vulnerabilties were added:
- Re-run the security job manually, new vulnerabilties were added and there is not policy enforment:
What is the expected correct behavior?
Scan result policy MR approval are enforced when a security job is re-run manually adding new vulnerabilities.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: \\\\\\\`sudo gitlab-rake gitlab:env:info\\\\\\\`) (For installations from source run and paste the output of: \\\\\\\`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production\\\\\\\`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of: \\\`sudo gitlab-rake gitlab:check SANITIZE=true\\\`) (For installations from source run and paste the output of: \\\`sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true\\\`) (we will only investigate if the tests are passing)