Skip to content

Update match_on_inclusion to match_on_inclusion_license

Marcos Rocha requested to merge mc_rocha-rename-scan_result_policy-match_on_inclusion-424513 into master

What does this MR do and why?

This MR is the first MR to update the match_on_inclusion property on ScanResultPolicy to match_on_inclusion_license.

To avoid impacting policies with the match_on_inclusion property we are:

  1. Updating the JSON schema to support both attributes
  2. Updating the processing service to read from both attributes, having fallback on the old name for existing policies
  3. Renaming the references to use match_on_inclusion_license

More context on this comment.

Related to: #424513 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

match_on_inclusion policy on the list

Screenshot_2024-01-26_at_8.06.53_AM

match_on_inclusion policy blocking a MR

Screenshot_2024-01-26_at_9.42.24_AM

match_on_inclusion_license policy on the list Screenshot_2024-01-26_at_9.59.27_AM

match_on_inclusion_license policy blocking a MR

Screenshot_2024-01-26_at_9.58.52_AM

How to set up and validate locally

  1. Create a new project
  2. Add a .gitlab-ci.yml file with the content
include:
  - template: Security/Dependency-Scanning.gitlab-ci.yml
  1. Add a new member to the project with developer access
  2. Go to Secure > Policies
  3. Click on New policy
  4. Select scan result policy
  5. Change to .yaml mode
  6. Copy the yaml below:
type: scan_result_policy
name: Deny MIT
enabled: true
rules:
  - type: license_finding
    match_on_inclusion: true
    license_types:
      - MIT License
    license_states:
      - newly_detected
    branch_type: protected
actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
      - developer
  1. Click on Configure with a merge request
  2. Merge the new MR to add the policy
  3. Go back to Secure > Policies and verify the new policy is visible
  4. Create a new MR adding a Gemfile.lock file with the following content:
GEM
  remote: https://rubygems.org/
  specs:
    rack (3.0.4.1)

PLATFORMS
  arm64-darwin-22

DEPENDENCIES
  rack

BUNDLED WITH
   2.4.22
  1. Verify the policy blocked the merge
  2. Go to Secure > Policies
  3. Edit the policy changing match_on_inclusion to match_on_inclusion_license
  4. Click on Configure with a merge request
  5. Merge the new MR to add the policy
  6. Go back to Secure > Policies and verify the new policy is visible
  7. Repeat the steps 12 and 13
Edited by Marcos Rocha

Merge request reports