Alan (Maciej) Paruszewski (9975857b) at 18 Mar 12:41
Address MR comments
Thanks a lot, I've also included changes for ee/app/services/security/findings/policy_severity_override_checker.rb; thanks for great review, @mcavoj!
Good point, added!
Alan (Maciej) Paruszewski (f90b335e) at 18 Mar 10:49
When the agent creates migrations it often generates a wrong timestamp. If we ask it to use rails g migration we make sure migrations are created correctly
Alan (Maciej) Paruszewski (ee8aff99) at 18 Mar 10:49
Merge branch 'update-sp-dev-db-migrations' into 'main'
... and 1 more commit
Sure, @Andyschoenen, sounds good!
Alan (Maciej) Paruszewski (db9b055f) at 18 Mar 10:48
Do not change unknown severity
Alan (Maciej) Paruszewski (5778ecc6) at 18 Mar 09:51
Adress MR comments
It follows https://gitlab.com/gitlab-org/gitlab/-/blob/1eb4a3a7ddf52c49ab854b2cdc64d181852ab011/app/models/concerns/enums/vulnerability.rb#L21-30; however the more I think about it I wonder how we could solve this problem. I would exclude unknown from the increase/decrease ladder entirely and only allow set operations on unknown vulnerabilities.
Alan (Maciej) Paruszewski (0013f092) at 17 Mar 23:53
Remove failing spec
Alan (Maciej) Paruszewski (e07e6e33) at 17 Mar 23:34
Fix failing spec
@arfedoro, I agree it requires additional verification from design perspective (especially for GA release). As this is mainly Experimental feature that we will build and we want to iterate, this is probably acceptable (@marissa.henri to confirm).
In the future (when we implement Policies V2) Security Attributes would not be a part of Policy Scope, but part of Policy Rules instead, as you might want to have different actions based on different project attributes.
Alan (Maciej) Paruszewski (44d78805) at 17 Mar 23:25
Add missing spec
Thanks a lot @mcavoj, I think I managed to address all of them!
Alan (Maciej) Paruszewski (322f3566) at 17 Mar 23:17
Address MR comments
Added test with competing policies context: one policy decreases severity (high → medium) and another increases it (high → critical), confirming the highest-severity policy wins.
Fixed - the override record now has original_severity: :high, new_severity: :critical and the vulnerability/finding are updated to :critical in the before block.
The service itself doesn't match on severity values in the override record - it just checks for the existence of any manual override - but the setup is now more readible.