Fix required approvals for mixed policies
What does this MR do and why?
This MR fixes a scenario where approvals wouldn't be required if policies mix new
and previously existing
vulnerability statuses and the source pipeline doesn't introduce any new vulnerabilities.
Here is an example project where the issue is reproduced: gitlab-org/govern/security-policies/martins-test-group/mixed-policies!3
- There is a policy that should require approvals for previously existing vulnerabilities
- There is a vulnerability under
Secuire -> Vulnerability Report
- Approvals are optional
I refactored the specs to flatten the unnecessary contexts and try to make it clearer in the tests which code path is tested.
There are optimizations of the tests included from !145504 (merged), so there will be potential conflicts in these specs.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Create a project
- Add CI configuration:
include: - template: Jobs/Secret-Detection.gitlab-ci.yml build-job: script: - echo "Compiling the code..." - echo "Compile complete."
- Create a policy that requires all
vulnerability_states
. Example:type: approval_policy name: Scans description: '' enabled: true rules: - type: scan_finding scanners: [] vulnerabilities_allowed: 0 severity_levels: [] vulnerability_states: - new_needs_triage - new_dismissed - detected - confirmed - dismissed - resolved branch_type: protected actions: - type: require_approval approvals_required: 1 role_approvers: - developer
- Create MR and introduce a vulnerability in the project and merge it. Example:
diff --git a/.env b/.env new file mode 100644 index 0000000000000000000000000000000000000000..ee4bf74ac3b632173dafc09e74ecd68c298bdfa1 --- /dev/null +++ b/.env @@ -0,0 +1 @@ +AWS_TOKEN=AKIAZYONPI3G4JNCCWGQ \ No newline at end of file
- Create MR that updates README and doesn't introduce any new vulnerabilities
- Verify that approvals are required
Edited by Martin Čavoj