Skip to content

Fix race condition in deleting scan result policy violation

Sashi Kumar Kumaresan requested to merge sk/fix-violations into master

What does this MR do and why?

Fixes a potential race condition while deleting Security::ScanResultPolicyViolation when a project has multiple inherited security policy project. delete_in_batches(project.scan_result_policy_violations) deletes all ScanResultPolicyViolation associated to a project, but we want to delete those only related to the Security::OrchestrationPolicyConfiguration

Query Plan 

SELECT
    "scan_result_policy_violations"."id" 
FROM
    "scan_result_policy_violations" 
WHERE
    "scan_result_policy_violations"."scan_result_policy_id" IN (
        SELECT
            "scan_result_policies"."id" 
        FROM
            "scan_result_policies" 
        WHERE
            "scan_result_policies"."security_orchestration_policy_configuration_id" = 1027925 
            AND "scan_result_policies"."project_id" = 51803546
    )
 Nested Loop  (cost=0.71..9.79 rows=1 width=8) (actual time=11.242..11.247 rows=1 loops=1)
   Buffers: shared hit=4 read=6
   I/O Timings: read=10.966 write=0.000
   ->  Index Scan using index_scan_result_policies_on_position_in_configuration on public.scan_result_policies  (cost=0.43..3.45 rows=1 width=8) (actual time=9.239..9.241 rows=1 loops=1)
         Index Cond: ((scan_result_policies.security_orchestration_policy_configuration_id = 1027925) AND (scan_result_policies.project_id = 51803546))
         Buffers: shared hit=3 read=4
         I/O Timings: read=9.008 write=0.000
   ->  Index Scan using index_scan_result_policy_violations_on_policy_and_merge_request on public.scan_result_policy_violations  (cost=0.29..6.31 rows=3 width=16) (actual time=1.994..1.996 rows=1 loops=1)
         Index Cond: (scan_result_policy_violations.scan_result_policy_id = scan_result_policies.id)
         Buffers: shared hit=1 read=2
         I/O Timings: read=1.958 write=0.000

Time: 13.457 ms
  - planning: 2.129 ms
  - execution: 11.328 ms
    - I/O read: 10.966 ms
    - I/O write: 0.000 ms

Shared buffers:
  - hits: 4 (~32.00 KiB) from the buffer pool
  - reads: 6 (~48.00 KiB) from the OS file cache, including disk I/O
  - dirtied: 0
  - writes: 0

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Sashi Kumar Kumaresan

Merge request reports