Skip to content

Update approvals_service to filter dismissed vulnerabilities

What does this MR do and why?

During the validation of issue #397057 (closed), we realized that the new_dismissed policy continues to require approval after the vulnerability is un-dismissed.

This MR updates the approvals_service to consider only new dismissed vulnerabilities when a policy contains only the new_dismissed option as vulnerability_states.

Related issue #397057 (closed).

How to set up and validate locally

  1. Create a new project
  2. Add another user to the project with at least developer access to prevent the policy from being auto-approved
  3. Create a new policy with the vulnerability_states new_dismissed and new_needs_triage as described here
  4. Create a new policy with the vulnerability_states new_needs_triage as described here
  5. Create a new policy with the vulnerability_states new_dismissed as described here
  6. Add a .gitlab-ci.yml with the content
include:
- template: Jobs/SAST.gitlab-ci.yml
test-job:
  script:
    - echo "Test Job..."
  1. Go to the project overview page
  2. Click on Web IDE
  3. Add a new ruby script file with the code:
class Generic
    def run_on_system
      system("cat #{params[:path]}")
    end
  end
  1. Click on Commit & Push
  2. Click on Yes commit to a new branch
  3. Choose a branch name or accept the default one
  4. Click on Create MR
  5. This MR will introduce a new vulnerability.
  6. Wait for the pipeline
  7. Verify that MR requires approval from the new_needs_triage and new_dismissed and new_needs_triage policies and does not require approval from the new_dismissed policy.

Screenshot_2023-05-15_at_5.54.12_PM

  1. Click on the Full report
  2. Go to the security tab
  3. Click on dismiss vulnerability
  4. Push a new commit to the MR branch that does not introduce a new vulnerability. Ex: add a new line
  5. Wait for the pipeline
  6. Verify that MR requires approval from the new_dismissed and new_dismissed and new_needs_triage policies and does not require approval from the new_needs_triage policy.

Screenshot_2023-05-15_at_6.06.30_PM

  1. Click on the Full report
  2. Go to the security tab
  3. Uncheck the Hide dismissed option
  4. Click on undo dismiss
  5. Repeat steps 19 and 20
  6. Verify that MR requires approval from the new_needs_triage and new_dismissed and new_needs_triage policies again and does not require approval from the new_dismissed policy.

Screenshot_2023-05-15_at_6.13.00_PM

Create a new policy

  1. Go to /-/security/policies.
  2. Click on New Policy.
  3. Select Scan result policy.
  4. Change to yaml mode and copy the content of the yaml policy below, updating the name, vulnerability_states, and user_approvers_ids as needed
type: scan_result_policy
name: Test new_dismissed and new_needs_triage
description: ''
enabled: true
rules:
  - type: scan_finding
    branches: []
    scanners: []
    vulnerabilities_allowed: 0
    severity_levels:
      - critical
      - high
      - medium
      - low
      - unknown
      - info
    vulnerability_states:
      - new_needs_triage
      - new_dismissed
actions:
  - type: require_approval
    approvals_required: 1
    user_approvers_ids:
      - 1
      - 49
  1. Click on Configure with a merge request.
  2. Merge the new MR.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Andy Schoenen

Merge request reports

Loading