Skip to content

Fix required approvals for mixed policies

Martin Čavoj requested to merge mc/fix-mixed-states-in-policy into master

What does this MR do and why?

This MR fixes a scenario where approvals wouldn't be required if policies mix new and previously existing vulnerability statuses and the source pipeline doesn't introduce any new vulnerabilities.

Here is an example project where the issue is reproduced: gitlab-org/govern/security-policies/martins-test-group/mixed-policies!3

  • There is a policy that should require approvals for previously existing vulnerabilities
  • There is a vulnerability under Secuire -> Vulnerability Report
  • Approvals are optional

I refactored the specs to flatten the unnecessary contexts and try to make it clearer in the tests which code path is tested.

There are optimizations of the tests included from !145504 (merged), so there will be potential conflicts in these specs.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Create a project
  2. Add CI configuration:
    include:
      - template: Jobs/Secret-Detection.gitlab-ci.yml
    
    build-job:
      script:
        - echo "Compiling the code..."
        - echo "Compile complete."
  3. Create a policy that requires all vulnerability_states. Example:
    type: approval_policy
    name: Scans
    description: ''
    enabled: true
    rules:
      - type: scan_finding
        scanners: []
        vulnerabilities_allowed: 0
        severity_levels: []
        vulnerability_states:
          - new_needs_triage
          - new_dismissed
          - detected
          - confirmed
          - dismissed
          - resolved
        branch_type: protected
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - developer
  4. Create MR and introduce a vulnerability in the project and merge it. Example:
    diff --git a/.env b/.env
    new file mode 100644
    index 0000000000000000000000000000000000000000..ee4bf74ac3b632173dafc09e74ecd68c298bdfa1
    --- /dev/null
    +++ b/.env
    @@ -0,0 +1 @@
    +AWS_TOKEN=AKIAZYONPI3G4JNCCWGQ
    \ No newline at end of file
  5. Create MR that updates README and doesn't introduce any new vulnerabilities
  6. Verify that approvals are required
Edited by Martin Čavoj

Merge request reports

Loading