Fix policy bot comment for competing approval rules
What does this MR do and why?
This MR fixes wrong policy bot comment in certain situations. With feature flag security_policies_sync_preexisting_state
enabled and two active policies, one targeting previously existing and one targeting newly detected vulnerabilities, the bot message could be incorrect due to a race condition between the two policies with the same rule type (scan_finding
).
Related to #425482 (closed).
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Ensure that feature flag
security_policies_sync_preexisting_state
is enabled. In rails console, run:Feature.enable(:security_policies_sync_preexisting_state)
- Add
.gitlab-ci.yml
into the projectinclude: - template: Security/Container-Scanning.gitlab-ci.yml - template: Security/Secret-Detection.gitlab-ci.yml job: script: echo 'test' container_scanning: variables: CS_IMAGE: 'citizenstig/dvwa:latest'
- Go to Secure -> Policies and create two Merge request approval policies.
- First policy targeting new vulnerabilities:
type: approval_policy name: New vulnerabilities description: '' enabled: true rules: - type: scan_finding scanners: - secret_detection vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: [] branch_type: protected actions: - type: require_approval approvals_required: 1 role_approvers: - developer approval_settings: block_branch_modification: false prevent_pushing_and_force_pushing: false
- Second policy targeting previously existing vulnerabilities:
type: approval_policy name: Pre-Existing Vulnerabilities description: '' enabled: true rules: - type: scan_finding scanners: - container_scanning vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: - confirmed - dismissed - resolved - detected branch_type: protected actions: - type: require_approval approvals_required: 1 role_approvers: - developer approval_settings: block_branch_modification: false prevent_pushing_and_force_pushing: false
- With the policies merged and active, create MR by updating README.md
- Pre-existing vulnerabilities will be evaluated before the pipeline finishes and a policy bot message should appear
- Verify that the message doesn't get updated to "resolved" when the pipeline finishes.
Edited by Martin Čavoj