Commit 7f1b6ac9 authored by Savas Vedova's avatar Savas Vedova

Merge branch 'protect-reorder-vuln-check' into 'master'

Reorder vuln check criteria

See merge request gitlab-org/gitlab!68503
parents 647312f4 17353fff
......@@ -194,14 +194,19 @@ merge request would introduce one of the following security issues:
When the Vulnerability-Check merge request rule is enabled, additional merge request approval
is required when the latest security report in a merge request:
- Contains a vulnerability of `high`, `critical`, or `unknown` severity that is not present in the
- Contains vulnerabilities that are not present in the
target branch. Note that approval is still required for dismissed vulnerabilities.
- Contains vulnerabilities with severity levels (for example, `high`, `critical`, or `unknown`)
matching the rule's severity levels.
- Contains a vulnerability count higher than the rule allows.
- Is not generated during pipeline execution.
An approval is optional when the security report:
- Contains no new vulnerabilities when compared to the target branch.
- Contains only new vulnerabilities of `low` or `medium` severity.
- Contains only vulnerabilities with severity levels (for example, `low`, `medium`) **NOT** matching
the rule's severity levels.
- Contains a vulnerability count equal to or less than what the rule allows.
When the License-Check merge request rule is enabled, additional approval is required if a merge
request contains a denied license. For more details, see [Enabling license approvals within a project](../compliance/license_compliance/index.md#enabling-license-approvals-within-a-project).
......@@ -219,16 +224,19 @@ Follow these steps to enable `Vulnerability-Check`:
1. Go to your project and select **Settings > General**.
1. Expand **Merge request approvals**.
1. Select **Enable** or **Edit**.
1. Add or change the **Rule name** to `Vulnerability-Check` (case sensitive).
1. Set the **No. of approvals required** to greater than zero.
1. Set the **Security scanners** that the rule applies to.
1. Select the **Target branch**.
1. Set the **Vulnerabilities allowed** to the number of vulnerabilities allowed before the rule is
triggered.
1. Set the **Severity levels** to the severity levels that the rule applies to.
1. Set the **Approvals required** to the number of approvals that the rule requires.
1. Select the users or groups to provide approval.
1. Select **Add approval rule**.
Once this group is added to your project, the approval rule is enabled for all merge requests.
Any code changes cause the approvals required to reset.
![Vulnerability Check Approver Rule](img/vulnerability-check_v13_4.png)
![Vulnerability Check Approver Rule](img/vulnerability-check_v14_2.png)
## Using private Maven repositories
......
......@@ -461,21 +461,6 @@ export default {
data-testid="name"
/>
</gl-form-group>
<gl-form-group
v-if="showProtectedBranch"
:label="$options.APPROVAL_DIALOG_I18N.form.protectedBranchLabel"
:description="$options.APPROVAL_DIALOG_I18N.form.protectedBranchDescription"
:state="isValidBranches"
:invalid-feedback="invalidBranches"
data-testid="branches-group"
>
<protected-branches-selector
v-model="branchesToAdd"
:project-id="settings.projectId"
:is-invalid="!isValidBranches"
:selected-branches="branches"
/>
</gl-form-group>
<gl-form-group
v-if="isVulnerabilityCheck"
:label="$options.APPROVAL_DIALOG_I18N.form.scannersLabel"
......@@ -504,6 +489,38 @@ export default {
</gl-dropdown-item>
</gl-dropdown>
</gl-form-group>
<gl-form-group
v-if="showProtectedBranch"
:label="$options.APPROVAL_DIALOG_I18N.form.protectedBranchLabel"
:description="$options.APPROVAL_DIALOG_I18N.form.protectedBranchDescription"
:state="isValidBranches"
:invalid-feedback="invalidBranches"
data-testid="branches-group"
>
<protected-branches-selector
v-model="branchesToAdd"
:project-id="settings.projectId"
:is-invalid="!isValidBranches"
:selected-branches="branches"
/>
</gl-form-group>
<gl-form-group
v-if="isVulnerabilityCheck"
:label="$options.APPROVAL_DIALOG_I18N.form.vulnerabilitiesAllowedLabel"
:description="$options.APPROVAL_DIALOG_I18N.form.vulnerabilitiesAllowedDescription"
:state="isValidVulnerabilitiesAllowed"
:invalid-feedback="invalidVulnerabilitiesAllowedError"
data-testid="vulnerability-amount-group"
>
<gl-form-input
v-model.number="vulnerabilitiesAllowed"
:state="isValidVulnerabilitiesAllowed"
min="0"
class="mw-6em"
type="number"
data-testid="vulnerability-amount"
/>
</gl-form-group>
<gl-form-group
v-if="isVulnerabilityCheck"
:label="$options.APPROVAL_DIALOG_I18N.form.severityLevelsLabel"
......@@ -548,23 +565,6 @@ export default {
data-qa-selector="approvals_required_field"
/>
</gl-form-group>
<gl-form-group
v-if="isVulnerabilityCheck"
:label="$options.APPROVAL_DIALOG_I18N.form.vulnerabilitiesAllowedLabel"
:description="$options.APPROVAL_DIALOG_I18N.form.vulnerabilitiesAllowedDescription"
:state="isValidVulnerabilitiesAllowed"
:invalid-feedback="invalidVulnerabilitiesAllowedError"
data-testid="vulnerability-amount-group"
>
<gl-form-input
v-model.number="vulnerabilitiesAllowed"
:state="isValidVulnerabilitiesAllowed"
min="0"
class="mw-6em"
type="number"
data-testid="vulnerability-amount"
/>
</gl-form-group>
<gl-form-group
:label="$options.APPROVAL_DIALOG_I18N.form.approversLabel"
:state="isValidApprovers"
......
......@@ -44,7 +44,7 @@ export default {
'SecurityApprovals|Configurable if security scanners are enabled. %{linkStart}Learn more.%{linkEnd}',
),
enableDescription: s__(
'SecurityApprovals|Requires approval for vulnerabilities of Critical, High, or Unknown severity. %{linkStart}Learn more.%{linkEnd}',
'SecurityApprovals|Requires approval for vulnerabilities. %{linkStart}Learn more.%{linkEnd}',
),
docsPath: this.vulnerabilityCheckHelpPagePath,
},
......
......@@ -27,7 +27,7 @@ export const APPROVAL_RULE_CONFIGS = {
[VULNERABILITY_CHECK_NAME]: {
title: s__('SecurityApprovals|Vulnerability-Check'),
popoverText: s__(
'SecurityApprovals|A merge request approval is required when a security report contains a new vulnerability of high, critical, or unknown severity.',
'SecurityApprovals|A merge request approval is required when a security report contains a new vulnerability.',
),
documentationText: s__('SecurityApprovals|Learn more about Vulnerability-Check'),
},
......
......@@ -29472,7 +29472,7 @@ msgstr ""
msgid "Security report is out of date. Run %{newPipelineLinkStart}a new pipeline%{newPipelineLinkEnd} for the target branch (%{targetBranchName})"
msgstr ""
msgid "SecurityApprovals|A merge request approval is required when a security report contains a new vulnerability of high, critical, or unknown severity."
msgid "SecurityApprovals|A merge request approval is required when a security report contains a new vulnerability."
msgstr ""
msgid "SecurityApprovals|A merge request approval is required when test coverage declines."
......@@ -29508,7 +29508,7 @@ msgstr ""
msgid "SecurityApprovals|Requires approval for decreases in test coverage. %{linkStart}More information%{linkEnd}"
msgstr ""
msgid "SecurityApprovals|Requires approval for vulnerabilities of Critical, High, or Unknown severity. %{linkStart}Learn more.%{linkEnd}"
msgid "SecurityApprovals|Requires approval for vulnerabilities. %{linkStart}Learn more.%{linkEnd}"
msgstr ""
msgid "SecurityApprovals|Test coverage must be enabled. %{linkStart}Learn more%{linkEnd}."
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment