Sync scan_result_policy_violations for license_scanning rules
What does this MR do and why?
In order to utilize the new table scan_result_policy_violations
for the bot comment, we need to sync the violations not only for scan_finding
, any_merge_request
rules, but also for license_scanning
.
More context can be found in this discussion.
This MR adds a sync for these violations so that the violation records will get removed in case there are no license policy violations.
How to set up and validate locally
- The sync of violations is tied to
scan_result_any_merge_request
feature flag, it will need to be enabled in order for the violations to get populated in the DB.Feature.enable(:scan_result_any_merge_request)
- Packages will have to synced for the licenses to identify correctly: Guide. Alternatively, the dependency scanning artifacts can be "faked" via
.gitlab-ci.yml
. - Go to Secure -> Policies and create a new policy for licenses. Sample YAML:
type: scan_result_policy name: Licenses description: '' enabled: true rules: - type: license_finding match_on_inclusion: true license_types: - BSD 3-Clause "New" or "Revised" License license_states: - newly_detected branch_type: protected actions: - type: require_approval approvals_required: 1 user_approvers_ids: - 1
- Create MR which violates the policy, for example by adding a file
requirements.txt
:pytest
- Observe the row in
scan_result_policy_violations
table for this merge request - Update the MR to not violate the policy, for example by changing the package to
pluggy
(MIT license) - The row in
scan_result_policy_violations
table should be removed
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #417598 (closed)
Edited by Martin Čavoj