Update approvals_service to filter dismissed vulnerabilities
What does this MR do and why?
During the validation of issue #397057 (closed), we realized that the new_dismissed
policy continues to require approval after the vulnerability is un-dismissed.
This MR updates the approvals_service
to consider only new dismissed vulnerabilities when a policy contains only the new_dismissed
option as vulnerability_states
.
Related issue #397057 (closed).
How to set up and validate locally
- Create a new project
- Add another user to the project with at least developer access to prevent the policy from being auto-approved
- Create a new policy with the vulnerability_states
new_dismissed
andnew_needs_triage
as described here - Create a new policy with the vulnerability_states
new_needs_triage
as described here - Create a new policy with the vulnerability_states
new_dismissed
as described here - Add a
.gitlab-ci.yml
with the content
include:
- template: Jobs/SAST.gitlab-ci.yml
test-job:
script:
- echo "Test Job..."
- Go to the project overview page
- Click on
Web IDE
- Add a new ruby script file with the code:
class Generic
def run_on_system
system("cat #{params[:path]}")
end
end
- Click on Commit & Push
- Click on Yes commit to a new branch
- Choose a branch name or accept the default one
- Click on Create MR
- This MR will introduce a new vulnerability.
- Wait for the pipeline
- Verify that MR requires approval from the
new_needs_triage
andnew_dismissed and new_needs_triage
policies and does not require approval from thenew_dismissed
policy.
- Click on the Full report
- Go to the security tab
- Click on dismiss vulnerability
- Push a new commit to the MR branch that does not introduce a new vulnerability. Ex: add a new line
- Wait for the pipeline
- Verify that MR requires approval from the
new_dismissed
andnew_dismissed and new_needs_triage
policies and does not require approval from thenew_needs_triage
policy.
- Click on the Full report
- Go to the security tab
- Uncheck the Hide dismissed option
- Click on undo dismiss
- Repeat steps 19 and 20
- Verify that MR requires approval from the
new_needs_triage
andnew_dismissed and new_needs_triage
policies again and does not require approval from thenew_dismissed
policy.
Create a new policy
- Go to
/-/security/policies
. - Click on New Policy.
- Select Scan result policy.
- Change to yaml mode and copy the content of the yaml policy below, updating the name,
vulnerability_states
, anduser_approvers_ids
as needed
type: scan_result_policy
name: Test new_dismissed and new_needs_triage
description: ''
enabled: true
rules:
- type: scan_finding
branches: []
scanners: []
vulnerabilities_allowed: 0
severity_levels:
- critical
- high
- medium
- low
- unknown
- info
vulnerability_states:
- new_needs_triage
- new_dismissed
actions:
- type: require_approval
approvals_required: 1
user_approvers_ids:
- 1
- 49
- Click on Configure with a merge request.
- Merge the new MR.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Andy Schoenen