Skip to content

Fix policy bot comment for competing approval rules

What does this MR do and why?

This MR fixes wrong policy bot comment in certain situations. With feature flag security_policies_sync_preexisting_state enabled and two active policies, one targeting previously existing and one targeting newly detected vulnerabilities, the bot message could be incorrect due to a race condition between the two policies with the same rule type (scan_finding).

Related to #425482 (closed).

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Ensure that feature flag security_policies_sync_preexisting_state is enabled. In rails console, run:
    Feature.enable(:security_policies_sync_preexisting_state)
  2. Add .gitlab-ci.yml into the project
    include:
        - template: Security/Container-Scanning.gitlab-ci.yml
          - template: Security/Secret-Detection.gitlab-ci.yml
    
    job:
      script: echo 'test'
    
    container_scanning:
      variables:
        CS_IMAGE: 'citizenstig/dvwa:latest'
  3. Go to Secure -> Policies and create two Merge request approval policies.
  4. First policy targeting new vulnerabilities:
    type: approval_policy
    name: New vulnerabilities
    description: ''
    enabled: true
    rules:
      - type: scan_finding
        scanners:
          - secret_detection
        vulnerabilities_allowed: 0
        severity_levels: []
        vulnerability_states: []
        branch_type: protected
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - developer
    approval_settings:
      block_branch_modification: false
      prevent_pushing_and_force_pushing: false
  5. Second policy targeting previously existing vulnerabilities:
    type: approval_policy
    name: Pre-Existing Vulnerabilities
    description: ''
    enabled: true
    rules:
      - type: scan_finding
        scanners:
          - container_scanning
        vulnerabilities_allowed: 0
        severity_levels: []
        vulnerability_states:
          - confirmed
          - dismissed
          - resolved
          - detected
        branch_type: protected
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - developer
    approval_settings:
      block_branch_modification: false
      prevent_pushing_and_force_pushing: false
  6. With the policies merged and active, create MR by updating README.md
  7. Pre-existing vulnerabilities will be evaluated before the pipeline finishes and a policy bot message should appear
  8. Verify that the message doesn't get updated to "resolved" when the pipeline finishes.
Edited by Martin Čavoj

Merge request reports

Loading