From 43f385c185b094b8ec874d5c7123dcf9e78db63c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thiago=20Figueir=C3=B3?= <tfigueiro@gitlab.com>
Date: Thu, 15 Feb 2024 10:15:53 +0000
Subject: [PATCH] Remove FF dependency_scanning_on_advisory_ingestion
Changelog: other
EE: true
---
.../index.md | 5 +--
ee/app/policies/ee/project_policy.rb | 9 +---
.../ingestion/advisory/ingestion_service.rb | 5 ---
...endency_scanning_on_advisory_ingestion.yml | 8 ----
..._continuous_vulnerability_scanning_spec.rb | 41 +++++--------------
.../advisory/ingestion_service_spec.rb | 17 ++++----
6 files changed, 21 insertions(+), 64 deletions(-)
delete mode 100644 ee/config/feature_flags/development/dependency_scanning_on_advisory_ingestion.yml
diff --git a/doc/user/application_security/continuous_vulnerability_scanning/index.md b/doc/user/application_security/continuous_vulnerability_scanning/index.md
index c5659cae6107b..3dc40244a0646 100644
--- a/doc/user/application_security/continuous_vulnerability_scanning/index.md
+++ b/doc/user/application_security/continuous_vulnerability_scanning/index.md
@@ -12,10 +12,7 @@ DETAILS:
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/371063) in GitLab 16.4 as an [Experiment](../../../policy/experiment-beta-support.md#experiment) with two [features flags](../../../administration/feature_flags.md) named `dependency_scanning_on_advisory_ingestion` and `package_metadata_advisory_sync`. Enabled by default.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/427424) in GitLab 16.7 with an additional feature flag named `global_dependency_scanning_on_advisory_ingestion`. Enabled by default.
-
-FLAG:
-On self-managed GitLab, by default this feature is available. To hide the feature, an administrator can [disable the feature flags](../../feature_flags.md) named `dependency_scanning_on_advisory_ingestion`.
-On GitLab.com, this feature is available.
+> - [Feature flag `dependency_scanning_on_advisory_ingestion` removed](https://gitlab.com/gitlab-org/gitlab/-/issues/425753) in GitLab 16.10.
Continuous Vulnerability Scanning detects new vulnerabilities outside a pipeline.
Your projects are automatically scanned whenever advisories are added to the [`GitLab Advisory Database`](https://advisories.gitlab.com/).
diff --git a/ee/app/policies/ee/project_policy.rb b/ee/app/policies/ee/project_policy.rb
index 98dc2ac6fa601..a76cafec400ed 100644
--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -447,6 +447,7 @@ module ProjectPolicy
enable :read_project_audit_events
enable :read_product_analytics
enable :create_workspace
+ enable :enable_continuous_vulnerability_scans
end
rule { can?(:reporter_access) & iterations_available }.policy do
@@ -694,10 +695,6 @@ module ProjectPolicy
.default_project_deletion_protection
end
- condition(:continuous_vulnerability_scanning_available) do
- ::Feature.enabled?(:dependency_scanning_on_advisory_ingestion)
- end
-
desc "Custom role on project that enables manage project access tokens"
condition(:role_enables_manage_project_access_tokens) do
::Auth::MemberRoleAbilityLoader.new(
@@ -883,10 +880,6 @@ module ProjectPolicy
(maintainer | owner | admin) & pages_multiple_versions_available
end.enable :pages_multiple_versions
- rule { continuous_vulnerability_scanning_available & can?(:developer_access) }.policy do
- enable :enable_continuous_vulnerability_scans
- end
-
rule { can?(:reporter_access) & tracing_enabled }.policy do
enable :read_tracing
end
diff --git a/ee/app/services/package_metadata/ingestion/advisory/ingestion_service.rb b/ee/app/services/package_metadata/ingestion/advisory/ingestion_service.rb
index 5e1e9f78be972..f11c082ac0e12 100644
--- a/ee/app/services/package_metadata/ingestion/advisory/ingestion_service.rb
+++ b/ee/app/services/package_metadata/ingestion/advisory/ingestion_service.rb
@@ -38,11 +38,6 @@ def publish!
source_xid = data_object.source_xid
advisory_xid = data_object.advisory_xid
- if source_xid == 'glad' && Feature.disabled?(:dependency_scanning_on_advisory_ingestion)
- log_skipped_advisory(source_xid, advisory_xid)
- next
- end
-
if source_xid == 'trivy-db' && Feature.disabled?(:container_scanning_continuous_vulnerability_scans,
Feature.current_request, type: :beta)
log_skipped_advisory(source_xid, advisory_xid)
diff --git a/ee/config/feature_flags/development/dependency_scanning_on_advisory_ingestion.yml b/ee/config/feature_flags/development/dependency_scanning_on_advisory_ingestion.yml
deleted file mode 100644
index 6f913b849434e..0000000000000
--- a/ee/config/feature_flags/development/dependency_scanning_on_advisory_ingestion.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-name: dependency_scanning_on_advisory_ingestion
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/127805
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/419550
-milestone: '16.3'
-type: development
-group: group::composition analysis
-default_enabled: true
diff --git a/ee/spec/requests/api/graphql/mutations/security/configuration/project_set_continuous_vulnerability_scanning_spec.rb b/ee/spec/requests/api/graphql/mutations/security/configuration/project_set_continuous_vulnerability_scanning_spec.rb
index f506b651045f0..c1101d32f6202 100644
--- a/ee/spec/requests/api/graphql/mutations/security/configuration/project_set_continuous_vulnerability_scanning_spec.rb
+++ b/ee/spec/requests/api/graphql/mutations/security/configuration/project_set_continuous_vulnerability_scanning_spec.rb
@@ -35,40 +35,21 @@
project.add_developer(current_user)
end
- context 'and feature is enabled' do
- before do
- stub_feature_flags(dependency_scanning_on_advisory_ingestion: true)
- end
-
- where(:value_before, :enable, :value_after) do
- true | false | false
- true | true | true
- false | true | true
- false | false | false
- end
-
- with_them do
- it 'updates the project setting and returns the new value' do
- post_graphql_mutation(mutation, current_user: current_user)
-
- response = graphql_mutation_response(mutation_name)
- expect(response).to include({ 'continuousVulnerabilityScanningEnabled' => value_after, 'errors' => [] })
-
- expect(security_setting.reload.continuous_vulnerability_scans_enabled).to eq(value_after)
- end
- end
+ where(:value_before, :enable, :value_after) do
+ true | false | false
+ true | true | true
+ false | true | true
+ false | false | false
end
- context 'and feature is disabled' do
- before do
- stub_feature_flags(dependency_scanning_on_advisory_ingestion: false)
- end
+ with_them do
+ it 'updates the project setting and returns the new value' do
+ post_graphql_mutation(mutation, current_user: current_user)
- it_behaves_like 'a mutation that returns a top-level access error'
+ response = graphql_mutation_response(mutation_name)
+ expect(response).to include({ 'continuousVulnerabilityScanningEnabled' => value_after, 'errors' => [] })
- it 'does not enable cvs' do
- expect { post_graphql_mutation(mutation, current_user: current_user) }
- .not_to change { security_setting.reload.continuous_vulnerability_scans_enabled }
+ expect(security_setting.reload.continuous_vulnerability_scans_enabled).to eq(value_after)
end
end
end
diff --git a/ee/spec/services/package_metadata/ingestion/advisory/ingestion_service_spec.rb b/ee/spec/services/package_metadata/ingestion/advisory/ingestion_service_spec.rb
index 2c4558fb25106..54d4d7efab907 100644
--- a/ee/spec/services/package_metadata/ingestion/advisory/ingestion_service_spec.rb
+++ b/ee/spec/services/package_metadata/ingestion/advisory/ingestion_service_spec.rb
@@ -12,11 +12,11 @@
let(:old_advisories) { build_list(:pm_advisory_data_object, 5, published_date: Time.zone.now - 14.days - 1.second) }
let(:import_data) { recent_advisories + old_advisories }
- where(:ds_ff_enabled, :cs_ff_enabled) do
- true | true
- true | false
- false | true
- false | false
+ where(:cs_ff_enabled) do
+ [
+ true,
+ false
+ ]
end
with_them do
@@ -31,7 +31,6 @@
end
before do
- stub_feature_flags(dependency_scanning_on_advisory_ingestion: ds_ff_enabled)
value = cs_ff_enabled ? 100 : 0
Feature.enable_percentage_of_actors(:container_scanning_continuous_vulnerability_scans, value)
allow(Gitlab::AppJsonLogger).to receive(:warn).and_call_original
@@ -51,20 +50,20 @@
.pluck(:source_xid, :advisory_xid)
expected = recent_advisories.filter_map do |obj|
- if (obj.source_xid == 'glad' && ds_ff_enabled) || (obj.source_xid == 'trivy-db' && cs_ff_enabled)
+ if (obj.source_xid == 'glad') || (obj.source_xid == 'trivy-db' && cs_ff_enabled)
[obj.source_xid, obj.advisory_xid]
end
end
expect(received_advisories).to match_array(expected)
- if ds_ff_enabled || cs_ff_enabled
+ if cs_ff_enabled
expect(Gitlab::AppJsonLogger).to have_received(:info)
.with(message: 'Queued scan for advisory', source_xid: anything, advisory_xid: anything)
.at_least(:once)
end
- if !ds_ff_enabled || !cs_ff_enabled
+ unless cs_ff_enabled
expect(Gitlab::AppJsonLogger).to have_received(:warn)
.with(message: 'Skipped scan for advisory', source_xid: anything, advisory_xid: anything)
.at_least(:once)
--
GitLab