Skip to content

Fix scan result policies for empty severity levels

Andy Schoenen requested to merge andysoiron/fix-scan_result_policies_findings_finder-with-empty-severity_levels into master

What does this MR do and why?

The policy editor usually fills the severity_levels field with an empty array. This results in an empty array being provided as an option for Security::ScanResultPolicies::FindingsFinder. To fix this, we can ignore empty arrays.

How to set up and validate locally

  1. On the master branch.
  2. Create a new policy
    1. Create a project
    2. Add a .gitlab-ci.yml with secret detection (See .gitlab-ci.yml with secret detection example).
    3. On the left sidebar, select Security & Compliance and Policies.
    4. Select New Policy.
    5. Select Scan result policy.
    6. For Name choose any name.
    7. For Rules choose "when Security Scan Secret Detection runs against the All protected branches and find(s). Any vulnerabilities that match all of the following criteria:".
    8. Select Add new criteria and New severity
    9. Choose Select all
    10. In Actions Select "Require 1 approval from:".
    11. Select any user that is not you.
    12. Alternatively to steps 5 to 11, you can switch to .yaml mode and copy the Policy example below. And replace the user_approvers_ids with a valid user ID that has access to the project.
    13. Select Configure with a merge request.
    14. Merge the MR.
  3. Produce an MR with a vulnerability finding.
    1. If you haven't already, set up a runner with docker.
    2. Go to the project page and select the Web IDE button.
    3. Create a new file called .env.
    4. Add the following line to the file AWS_TOKEN='AKIAZYONPI3G4JNCCWGA'.
    5. Commit the changes to a new branch and start an MR.
    6. The pipelines security tab should show one finding.
  4. Verify the changes
    1. The MR should not require an approval regardless of the vulnerability finding.
    2. Switch to the andysoiron/fix-scan_result_policies_findings_finder-with-empty-severity_levels branch.
    3. Reset required approvals by updating the security policy again. For example, add an empty line to the end of .gitlab/security-policies/policy.yml.
    4. The MR should now require an approval.
`.gitlab-ci.yml` with secret detection 
# .gitlab-ci.yml

include:
  - template: Jobs/Secret-Detection.gitlab-ci.yml
test-job:
  script:
  - echo "Test Job..."
Policy example 
type: scan_result_policy
name: sdfsdf
description: ''
enabled: true
rules:
  - type: scan_finding
    branches: []
    scanners:
      - secret_detection
    vulnerabilities_allowed: 0
    severity_levels: []
    vulnerability_states: []
actions:
  - type: require_approval
    approvals_required: 1
    user_approvers_ids:
      - 82

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Andy Schoenen

Merge request reports