From 6828938792c8b8525faf1982f16d08d45510a0a3 Mon Sep 17 00:00:00 2001
From: Artur Fedorov <afedorov@gitlab.com>
Date: Fri, 21 Jul 2023 16:51:20 +0200
Subject: [PATCH 1/3] This MR adds ability to add branch exceptions

Security result policy can have branch
exceptions option configured via UI

Changelog: changed
EE: true
---
 .../components/branch_exception_selector.vue  | 82 +++++++++++++++++++
 .../components/constants.js                   | 13 +++
 .../components/policy_editor/constants.js     |  1 +
 .../scan_result_policy/lib/from_yaml.js       |  1 +
 .../license_scan_rule_builder.vue             | 22 ++++-
 .../security_scan_rule_builder.vue            | 22 ++++-
 .../branch_exception_selector_spec.js         | 72 ++++++++++++++++
 .../license_scan_rule_builder_spec.js         | 61 +++++++++++++-
 .../security_scan_rule_builder_spec.js        | 50 +++++++++++
 locale/gitlab.pot                             | 19 ++++-
 10 files changed, 338 insertions(+), 5 deletions(-)
 create mode 100644 ee/app/assets/javascripts/security_orchestration/components/branch_exception_selector.vue
 create mode 100644 ee/spec/frontend/security_orchestration/components/branch_exception_selector_spec.js

diff --git a/ee/app/assets/javascripts/security_orchestration/components/branch_exception_selector.vue b/ee/app/assets/javascripts/security_orchestration/components/branch_exception_selector.vue
new file mode 100644
index 00000000000000..f08cb98547219d
--- /dev/null
+++ b/ee/app/assets/javascripts/security_orchestration/components/branch_exception_selector.vue
@@ -0,0 +1,82 @@
+<script>
+import { GlSprintf, GlCollapsibleListbox } from '@gitlab/ui';
+import { s__, __ } from '~/locale';
+import ProjectBranchSelector from 'ee/vue_shared/components/branches_selector/project_branch_selector.vue';
+import { EXCEPTION_TYPE_ITEMS, NO_EXCEPTION_KEY, EXCEPTION_KEY } from './constants';
+
+export default {
+  EXCEPTION_TYPE_ITEMS,
+  NO_EXCEPTION_KEY,
+  i18n: {
+    exceptionText: s__(
+      'SecurityOrchestration|with %{exceptionType} %{preposition} %{branchSelector}',
+    ),
+    branchSelectorHeader: s__('SecurityOrchestration|Select exception branches'),
+    preposition: __('on'),
+  },
+  name: 'BranchExceptionSelector',
+  components: {
+    ProjectBranchSelector,
+    GlCollapsibleListbox,
+    GlSprintf,
+  },
+  inject: ['namespacePath'],
+  props: {
+    selectedExceptions: {
+      type: Array,
+      required: false,
+      default: () => [],
+    },
+  },
+  data() {
+    return {
+      selectedExceptionType: this.selectedExceptions.length > 0 ? EXCEPTION_KEY : NO_EXCEPTION_KEY,
+    };
+  },
+  computed: {
+    hasExceptions() {
+      return this.selectedExceptionType === EXCEPTION_KEY;
+    },
+  },
+  methods: {
+    setExceptionType(type) {
+      this.selectedExceptionType = type;
+    },
+    selectExceptions(value) {
+      this.$emit('select', { branch_exceptions: value });
+    },
+  },
+};
+</script>
+
+<template>
+  <div class="gl-display-flex gl-align-items-center gl-gap-3">
+    <gl-sprintf :message="$options.i18n.exceptionText">
+      <template #exceptionType>
+        <gl-collapsible-listbox
+          :items="$options.EXCEPTION_TYPE_ITEMS"
+          :selected="selectedExceptionType"
+          @select="setExceptionType"
+        />
+      </template>
+
+      <template #preposition>
+        <span v-if="hasExceptions" data-testid="exception-preposition">
+          {{ $options.i18n.preposition }}
+        </span>
+      </template>
+
+      <template #branchSelector>
+        <project-branch-selector
+          v-if="hasExceptions"
+          class="gl-max-w-48"
+          :header="$options.i18n.branchSelectorHeader"
+          :text="$options.i18n.branchSelectorHeader"
+          :project-full-path="namespacePath"
+          :selected="selectedExceptions"
+          @select="selectExceptions"
+        />
+      </template>
+    </gl-sprintf>
+  </div>
+</template>
diff --git a/ee/app/assets/javascripts/security_orchestration/components/constants.js b/ee/app/assets/javascripts/security_orchestration/components/constants.js
index 86d42ac3c055e6..48d7a58bfa77b3 100644
--- a/ee/app/assets/javascripts/security_orchestration/components/constants.js
+++ b/ee/app/assets/javascripts/security_orchestration/components/constants.js
@@ -20,3 +20,16 @@ export const POLICY_TYPE_COMPONENT_OPTIONS = {
 };
 
 export const POLICIES_LIST_CONTAINER_CLASS = '.js-security-policies-container-wrapper';
+
+export const EXCEPTION_KEY = 'exception';
+export const NO_EXCEPTION_KEY = 'no_exception';
+export const EXCEPTION_TYPE_ITEMS = [
+  {
+    value: EXCEPTION_KEY,
+    text: s__('SecurityOrchestration|Exceptions'),
+  },
+  {
+    value: NO_EXCEPTION_KEY,
+    text: s__('SecurityOrchestration|No exceptions'),
+  },
+];
diff --git a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/constants.js b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/constants.js
index 64b3aac3218013..c30f731832c318 100644
--- a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/constants.js
+++ b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/constants.js
@@ -157,6 +157,7 @@ export const VALID_SCAN_RESULT_BRANCH_TYPE_OPTIONS = [
 
 export const BRANCHES_KEY = 'branches';
 export const BRANCH_TYPE_KEY = 'branch_type';
+export const BRANCH_EXCEPTIONS_KEY = 'branch_exceptions';
 
 export const HUMANIZED_BRANCH_TYPE_TEXT_DICT = {
   [ALL_BRANCHES.value]: s__('SecurityOrchestration|any branch'),
diff --git a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/lib/from_yaml.js b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/lib/from_yaml.js
index 7baf940d379cbd..57fffb4bc59d43 100644
--- a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/lib/from_yaml.js
+++ b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/lib/from_yaml.js
@@ -19,6 +19,7 @@ export const fromYaml = ({ manifest, validateRuleMode = false }) => {
         'type',
         'branches',
         'branch_type',
+        'branch_exceptions',
         'license_states',
         'license_types',
         'match_on_inclusion',
diff --git a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/license_scan_rule_builder.vue b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/license_scan_rule_builder.vue
index ccafe61cc4c1d0..81b94c2d867e51 100644
--- a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/license_scan_rule_builder.vue
+++ b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/license_scan_rule_builder.vue
@@ -1,8 +1,10 @@
 <script>
 import { GlSprintf } from '@gitlab/ui';
 import { s__ } from '~/locale';
+import BranchExceptionSelector from 'ee/security_orchestration/components/branch_exception_selector.vue';
 import PolicyRuleBranchSelection from 'ee/security_orchestration/components/policy_editor/scan_result_policy/policy_rule_branch_selection.vue';
 import PolicyRuleMultiSelect from 'ee/security_orchestration/components/policy_rule_multi_select.vue';
+import { NAMESPACE_TYPES } from 'ee/security_orchestration/constants';
 import ScanFilterSelector from '../scan_filter_selector.vue';
 import { SCAN_RESULT_BRANCH_TYPE_OPTIONS } from '../constants';
 import ScanTypeSelect from './base_layout/scan_type_select.vue';
@@ -16,6 +18,7 @@ export default {
   FILTERS_ITEMS: [FILTERS[FILTERS_STATUS_INDEX]],
   STATUS,
   components: {
+    BranchExceptionSelector,
     BaseLayoutComponent,
     GlSprintf,
     LicenseFilter,
@@ -35,7 +38,7 @@ export default {
   i18n: {
     licenseStatuses: s__('ScanResultPolicy|license status'),
     licenseScanResultRuleCopy: s__(
-      'ScanResultPolicy|When %{scanType} in an open merge request targeting %{branches} and the licenses match all of the following criteria:',
+      'ScanResultPolicy|When %{scanType} in an open merge request targeting %{branches} %{branchExceptions} and the licenses match all of the following criteria:',
     ),
     tooltipFilterDisabledTitle: s__(
       'ScanResultPolicy|License scanning allows only one criteria: Status',
@@ -43,6 +46,12 @@ export default {
   },
   licenseStatuses: LICENSE_STATES,
   computed: {
+    projectNamespace() {
+      return this.namespaceType === NAMESPACE_TYPES.PROJECT;
+    },
+    branchExceptions() {
+      return this.initRule.branch_exceptions;
+    },
     branchTypes() {
       return SCAN_RESULT_BRANCH_TYPE_OPTIONS(this.namespaceType);
     },
@@ -66,6 +75,9 @@ export default {
     setBranchType(value) {
       this.$emit('changed', value);
     },
+    setBranchException(value) {
+      this.triggerChanged(value);
+    },
   },
 };
 </script>
@@ -94,6 +106,14 @@ export default {
                   @set-branch-type="setBranchType"
                 />
               </template>
+
+              <template #branchExceptions>
+                <branch-exception-selector
+                  v-if="projectNamespace"
+                  :selected-exceptions="branchExceptions"
+                  @select="setBranchException"
+                />
+              </template>
             </gl-sprintf>
           </template>
         </base-layout-component>
diff --git a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/security_scan_rule_builder.vue b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/security_scan_rule_builder.vue
index a7644c6b077596..6c4542ba804034 100644
--- a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/security_scan_rule_builder.vue
+++ b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/security_scan_rule_builder.vue
@@ -2,6 +2,8 @@
 import { GlSprintf } from '@gitlab/ui';
 import { s__ } from '~/locale';
 import { REPORT_TYPES_DEFAULT, SEVERITY_LEVELS } from 'ee/security_dashboard/store/constants';
+import { NAMESPACE_TYPES } from 'ee/security_orchestration/constants';
+import BranchExceptionSelector from 'ee/security_orchestration/components/branch_exception_selector.vue';
 import PolicyRuleMultiSelect from '../../policy_rule_multi_select.vue';
 import {
   ANY_OPERATOR,
@@ -38,10 +40,11 @@ export default {
   NEWLY_DETECTED,
   PREVIOUSLY_EXISTING,
   scanResultRuleCopy: s__(
-    'ScanResultPolicy|When %{scanType} %{scanners} runs against the %{branches} and find(s) %{vulnerabilitiesNumber} %{boldDescription} of the following criteria:',
+    'ScanResultPolicy|When %{scanType} %{scanners} runs against the %{branches} %{branchExceptions} and find(s) %{vulnerabilitiesNumber} %{boldDescription} of the following criteria:',
   ),
   components: {
     BaseLayoutComponent,
+    BranchExceptionSelector,
     GlSprintf,
     PolicyRuleBranchSelection,
     PolicyRuleMultiSelect,
@@ -78,6 +81,9 @@ export default {
     };
   },
   computed: {
+    projectNamespace() {
+      return this.namespaceType === NAMESPACE_TYPES.PROJECT;
+    },
     severityLevelsToAdd: {
       get() {
         return this.initRule.severity_levels;
@@ -89,6 +95,9 @@ export default {
     branchTypes() {
       return SCAN_RESULT_BRANCH_TYPE_OPTIONS(this.namespaceType);
     },
+    branchExceptions() {
+      return this.initRule.branch_exceptions;
+    },
     scannersToAdd: {
       get() {
         return this.initRule.scanners.length === 0
@@ -154,6 +163,9 @@ export default {
     setBranchType(value) {
       this.$emit('changed', value);
     },
+    setBranchException(value) {
+      this.triggerChanged(value);
+    },
     isFilterSelected(filter) {
       return Boolean(this.filters[filter]);
     },
@@ -289,6 +301,14 @@ export default {
                 />
               </template>
 
+              <template #branchExceptions>
+                <branch-exception-selector
+                  v-if="projectNamespace"
+                  :selected-exceptions="branchExceptions"
+                  @select="setBranchException"
+                />
+              </template>
+
               <template #vulnerabilitiesNumber>
                 <number-range-select
                   id="vulnerabilities-allowed"
diff --git a/ee/spec/frontend/security_orchestration/components/branch_exception_selector_spec.js b/ee/spec/frontend/security_orchestration/components/branch_exception_selector_spec.js
new file mode 100644
index 00000000000000..4b4ff431b0851a
--- /dev/null
+++ b/ee/spec/frontend/security_orchestration/components/branch_exception_selector_spec.js
@@ -0,0 +1,72 @@
+import { GlSprintf, GlCollapsibleListbox } from '@gitlab/ui';
+import BranchExceptionSelector from 'ee/security_orchestration/components/branch_exception_selector.vue';
+import ProjectBranchSelector from 'ee/vue_shared/components/branches_selector/project_branch_selector.vue';
+import { shallowMountExtended } from 'helpers/vue_test_utils_helper';
+import { NO_EXCEPTION_KEY, EXCEPTION_KEY } from 'ee/security_orchestration/components/constants';
+
+describe('BranchExceptionSelector', () => {
+  let wrapper;
+
+  const NAMESPACE_PATH = 'gitlab/project';
+  const MOCK_BRANCHES = ['main', 'test'];
+
+  const createComponent = ({ propsData = {} } = {}) => {
+    wrapper = shallowMountExtended(BranchExceptionSelector, {
+      propsData,
+      provide: {
+        namespacePath: NAMESPACE_PATH,
+      },
+      stubs: {
+        GlSprintf,
+      },
+    });
+  };
+
+  const findNamespaceTypeListbox = () => wrapper.findComponent(GlCollapsibleListbox);
+  const findProjectBranchSelector = () => wrapper.findComponent(ProjectBranchSelector);
+  const findExceptionPreposition = () => wrapper.findByTestId('exception-preposition');
+
+  describe('default rendering states', () => {
+    beforeEach(() => {
+      createComponent();
+    });
+
+    it('should display no exception mode by default', () => {
+      expect(findNamespaceTypeListbox().props('selected')).toBe(NO_EXCEPTION_KEY);
+
+      expect(findProjectBranchSelector().exists()).toBe(false);
+      expect(findExceptionPreposition().exists()).toBe(false);
+    });
+
+    it('should display branches listbox for  exceptions', async () => {
+      await findNamespaceTypeListbox().vm.$emit('select', EXCEPTION_KEY);
+
+      expect(findProjectBranchSelector().exists()).toBe(true);
+      expect(findExceptionPreposition().exists()).toBe(true);
+    });
+  });
+
+  describe('existing branch exceptions', () => {
+    it('should display saved exceptions', () => {
+      createComponent({
+        propsData: { selectedExceptions: MOCK_BRANCHES },
+      });
+
+      expect(findProjectBranchSelector().props('selected')).toEqual(MOCK_BRANCHES);
+      expect(findProjectBranchSelector().exists()).toBe(true);
+      expect(findExceptionPreposition().exists()).toBe(true);
+    });
+  });
+
+  describe('exception selection', () => {
+    it('should select exceptions', async () => {
+      createComponent();
+
+      await findNamespaceTypeListbox().vm.$emit('select', EXCEPTION_KEY);
+
+      await findProjectBranchSelector().vm.$emit('select', MOCK_BRANCHES);
+
+      expect(wrapper.emitted('select')).toEqual([[{ branch_exceptions: MOCK_BRANCHES }]]);
+    });
+  });
+});
diff --git a/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result_policy/license_scan_rule_builder_spec.js b/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result_policy/license_scan_rule_builder_spec.js
index 5f5fccb00b13e6..1012763283c6bd 100644
--- a/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result_policy/license_scan_rule_builder_spec.js
+++ b/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result_policy/license_scan_rule_builder_spec.js
@@ -1,5 +1,6 @@
 import { GlSprintf } from '@gitlab/ui';
 import { shallowMountExtended } from 'helpers/vue_test_utils_helper';
+import BranchExceptionSelector from 'ee/security_orchestration/components/branch_exception_selector.vue';
 import LicenseScanRuleBuilder from 'ee/security_orchestration/components/policy_editor/scan_result_policy/license_scan_rule_builder.vue';
 import PolicyRuleBranchSelection from 'ee/security_orchestration/components/policy_editor/scan_result_policy/policy_rule_branch_selection.vue';
 import PolicyRuleMultiSelect from 'ee/security_orchestration/components/policy_rule_multi_select.vue';
@@ -27,13 +28,15 @@ describe('LicenseScanRuleBuilder', () => {
     license_states: ['newly_detected', 'detected'],
   };
 
-  const factory = ({ stubs = {} } = {}) => {
+  const factory = ({ stubs = {}, props = {}, provide = {} } = {}) => {
     wrapper = shallowMountExtended(LicenseScanRuleBuilder, {
       propsData: {
         initRule: licenseScanBuildRule(),
+        ...props,
       },
       provide: {
         namespaceType: NAMESPACE_TYPES.GROUP,
+        ...provide,
       },
       stubs: {
         BaseLayoutComponent,
@@ -51,6 +54,7 @@ describe('LicenseScanRuleBuilder', () => {
   const findStatusFilter = () => wrapper.findComponent(StatusFilter);
   const findLicenseFilter = () => wrapper.findComponent(LicenseFilter);
   const findScanTypeSelect = () => wrapper.findComponent(ScanTypeSelect);
+  const findBranchExceptionSelector = () => wrapper.findComponent(BranchExceptionSelector);
 
   describe('initial rendering', () => {
     beforeEach(() => {
@@ -77,6 +81,61 @@ describe('LicenseScanRuleBuilder', () => {
     });
   });
 
+  describe('adding branch exceptions', () => {
+    const exceptions = { branch_exceptions: ['main', 'test'] };
+
+    it.each`
+      namespaceType              | expectedResult
+      ${NAMESPACE_TYPES.PROJECT} | ${true}
+      ${NAMESPACE_TYPES.GROUP}   | ${false}
+    `('should select exceptions only on project level', ({ namespaceType, expectedResult }) => {
+      factory({
+        provide: {
+          namespaceType,
+        },
+      });
+
+      expect(findBranchExceptionSelector().exists()).toBe(expectedResult);
+    });
+
+    it('should select exceptions', () => {
+      factory({
+        provide: {
+          namespaceType: NAMESPACE_TYPES.PROJECT,
+        },
+      });
+
+      findBranchExceptionSelector().vm.$emit('select', exceptions);
+
+      expect(wrapper.emitted('changed')).toEqual([
+        [
+          {
+            ...licenseScanBuildRule(),
+            ...exceptions,
+          },
+        ],
+      ]);
+    });
+
+    it('should display saved exceptions', () => {
+      factory({
+        props: {
+          initRule: {
+            ...licenseScanBuildRule(),
+            ...exceptions,
+          },
+        },
+        provide: {
+          namespaceType: NAMESPACE_TYPES.PROJECT,
+        },
+      });
+
+      expect(findBranchExceptionSelector().props('selectedExceptions')).toEqual(
+        exceptions.branch_exceptions,
+      );
+    });
+  });
+
   describe('when editing any attribute of the rule', () => {
     it.each`
       attribute               | currentComponent             | newValue                                                   | expected                                                   | event
diff --git a/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result_policy/security_scan_rule_builder_spec.js b/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result_policy/security_scan_rule_builder_spec.js
index 041205a944877e..edf4a8f24b1f31 100644
--- a/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result_policy/security_scan_rule_builder_spec.js
+++ b/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result_policy/security_scan_rule_builder_spec.js
@@ -2,6 +2,7 @@ import { nextTick } from 'vue';
 import { GlBadge } from '@gitlab/ui';
 import { mountExtended } from 'helpers/vue_test_utils_helper';
 import Api from 'ee/api';
+import BranchExceptionSelector from 'ee/security_orchestration/components/branch_exception_selector.vue';
 import SecurityScanRuleBuilder from 'ee/security_orchestration/components/policy_editor/scan_result_policy/security_scan_rule_builder.vue';
 import PolicyRuleMultiSelect from 'ee/security_orchestration/components/policy_rule_multi_select.vue';
 import PolicyRuleBranchSelection from 'ee/security_orchestration/components/policy_editor/scan_result_policy/policy_rule_branch_selection.vue';
@@ -54,6 +55,7 @@ describe('SecurityScanRuleBuilder', () => {
       provide: {
         namespaceId: '1',
         namespaceType: NAMESPACE_TYPES.PROJECT,
+        namespacePath: 'gitlab-org/test',
         ...provide,
       },
       stubs: {
@@ -77,6 +79,7 @@ describe('SecurityScanRuleBuilder', () => {
   const findScanTypeSelect = () => wrapper.findComponent(ScanTypeSelect);
   const findAgeFilter = () => wrapper.findComponent(AgeFilter);
   const findScanFilterSelectorBadge = () => findScanFilterSelector().findComponent(GlBadge);
+  const findBranchExceptionSelector = () => wrapper.findComponent(BranchExceptionSelector);
 
   beforeEach(() => {
     jest
@@ -108,6 +111,53 @@ describe('SecurityScanRuleBuilder', () => {
     });
   });
 
+  describe('adding branch exceptions', () => {
+    const exceptions = { branch_exceptions: ['main', 'test'] };
+
+    it.each`
+      namespaceType              | expectedResult
+      ${NAMESPACE_TYPES.PROJECT} | ${true}
+      ${NAMESPACE_TYPES.GROUP}   | ${false}
+    `('should select exceptions only on project level', ({ namespaceType, expectedResult }) => {
+      factory(
+        {},
+        {
+          namespaceType,
+        },
+      );
+
+      expect(findBranchExceptionSelector().exists()).toBe(expectedResult);
+    });
+
+    it('should select exceptions', () => {
+      factory();
+
+      findBranchExceptionSelector().vm.$emit('select', exceptions);
+
+      expect(wrapper.emitted('changed')).toEqual([
+        [
+          {
+            ...securityScanBuildRule(),
+            ...exceptions,
+          },
+        ],
+      ]);
+    });
+
+    it('should display saved exceptions', () => {
+      factory({
+        initRule: {
+          ...securityScanBuildRule(),
+          ...exceptions,
+        },
+      });
+
+      expect(findBranchExceptionSelector().props('selectedExceptions')).toEqual(
+        exceptions.branch_exceptions,
+      );
+    });
+  });
+
   describe('when editing any attribute of the rule', () => {
     it.each`
       currentComponent | event        | newValue                                           | expected
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 80ff5f27fabf41..c350db3b9a4c7d 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -41225,10 +41225,10 @@ msgstr ""
 msgid "ScanResultPolicy|Unknown"
 msgstr ""
 
-msgid "ScanResultPolicy|When %{scanType} %{scanners} runs against the %{branches} and find(s) %{vulnerabilitiesNumber} %{boldDescription} of the following criteria:"
+msgid "ScanResultPolicy|When %{scanType} %{scanners} runs against the %{branches} %{branchExceptions} and find(s) %{vulnerabilitiesNumber} %{boldDescription} of the following criteria:"
 msgstr ""
 
-msgid "ScanResultPolicy|When %{scanType} in an open merge request targeting %{branches} and the licenses match all of the following criteria:"
+msgid "ScanResultPolicy|When %{scanType} in an open merge request targeting %{branches} %{branchExceptions} and the licenses match all of the following criteria:"
 msgstr ""
 
 msgid "ScanResultPolicy|When %{scanners} find scanner specified conditions in an open merge request targeting the %{branches} and match %{boldDescription} of the following criteria"
@@ -41946,6 +41946,9 @@ msgstr ""
 msgid "SecurityOrchestration|Every time a pipeline runs for %{branches}"
 msgstr ""
 
+msgid "SecurityOrchestration|Exceptions"
+msgstr ""
+
 msgid "SecurityOrchestration|Failed to load cluster agents."
 msgstr ""
 
@@ -42003,6 +42006,9 @@ msgstr ""
 msgid "SecurityOrchestration|No description"
 msgstr ""
 
+msgid "SecurityOrchestration|No exceptions"
+msgstr ""
+
 msgid "SecurityOrchestration|No rules defined - policy will not run."
 msgstr ""
 
@@ -42122,6 +42128,9 @@ msgstr ""
 msgid "SecurityOrchestration|Select a project to store your security policies in. %{linkStart}More information.%{linkEnd}"
 msgstr ""
 
+msgid "SecurityOrchestration|Select exception branches"
+msgstr ""
+
 msgid "SecurityOrchestration|Select groups"
 msgstr ""
 
@@ -42314,6 +42323,9 @@ msgstr ""
 msgid "SecurityOrchestration|the default branch"
 msgstr ""
 
+msgid "SecurityOrchestration|with %{exceptionType} %{preposition} %{branchSelector}"
+msgstr ""
+
 msgid "SecurityPolicies|Invalid or empty policy"
 msgstr ""
 
@@ -55991,6 +56003,9 @@ msgstr ""
 msgid "nounSeries|%{item}, and %{lastItem}"
 msgstr ""
 
+msgid "on"
+msgstr ""
+
 msgid "on or after"
 msgstr ""
 
-- 
GitLab


From 737fe6c5afc67cecafc2b5ee17f526afd616a370 Mon Sep 17 00:00:00 2001
From: Artur Fedorov <afedorov@gitlab.com>
Date: Tue, 1 Aug 2023 00:16:18 +0200
Subject: [PATCH 2/3] Applied review changes

---
 .../scan_result_policy/license_scan_rule_builder.vue          | 4 ++--
 .../scan_result_policy/security_scan_rule_builder.vue         | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/license_scan_rule_builder.vue b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/license_scan_rule_builder.vue
index 81b94c2d867e51..e5e981552a0eef 100644
--- a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/license_scan_rule_builder.vue
+++ b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/license_scan_rule_builder.vue
@@ -46,7 +46,7 @@ export default {
   },
   licenseStatuses: LICENSE_STATES,
   computed: {
-    projectNamespace() {
+    isProjectNamespace() {
       return this.namespaceType === NAMESPACE_TYPES.PROJECT;
     },
     branchExceptions() {
@@ -109,7 +109,7 @@ export default {
 
               <template #branchExceptions>
                 <branch-exception-selector
-                  v-if="projectNamespace"
+                  v-if="isProjectNamespace"
                   :selected-exceptions="branchExceptions"
                   @select="setBranchException"
                 />
diff --git a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/security_scan_rule_builder.vue b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/security_scan_rule_builder.vue
index 6c4542ba804034..63f2073c7253ce 100644
--- a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/security_scan_rule_builder.vue
+++ b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/security_scan_rule_builder.vue
@@ -81,7 +81,7 @@ export default {
     };
   },
   computed: {
-    projectNamespace() {
+    isProjectNamespace() {
       return this.namespaceType === NAMESPACE_TYPES.PROJECT;
     },
     severityLevelsToAdd: {
@@ -303,7 +303,7 @@ export default {
 
               <template #branchExceptions>
                 <branch-exception-selector
-                  v-if="projectNamespace"
+                  v-if="isProjectNamespace"
                   :selected-exceptions="branchExceptions"
                   @select="setBranchException"
                 />
-- 
GitLab


From 53edf1441d86ea61619d087fed5ff539302b8871 Mon Sep 17 00:00:00 2001
From: Artur Fedorov <afedorov@gitlab.com>
Date: Wed, 2 Aug 2023 14:16:30 +0200
Subject: [PATCH 3/3] Applied maintainer review changes

---
 .../components/branch_exception_selector.vue  | 23 +++++++------------
 .../license_scan_rule_builder.vue             | 11 ++++-----
 .../security_scan_rule_builder.vue            | 11 ++++-----
 .../projects/security/policies_controller.rb  |  4 ++++
 .../branch_exception_selector_spec.js         |  6 -----
 .../license_scan_rule_builder_spec.js         | 17 ++++++++++++++
 .../security_scan_rule_builder_spec.js        | 18 +++++++++++++++
 locale/gitlab.pot                             |  8 +++----
 8 files changed, 61 insertions(+), 37 deletions(-)

diff --git a/ee/app/assets/javascripts/security_orchestration/components/branch_exception_selector.vue b/ee/app/assets/javascripts/security_orchestration/components/branch_exception_selector.vue
index f08cb98547219d..27a5347413f4d1 100644
--- a/ee/app/assets/javascripts/security_orchestration/components/branch_exception_selector.vue
+++ b/ee/app/assets/javascripts/security_orchestration/components/branch_exception_selector.vue
@@ -1,6 +1,6 @@
 <script>
 import { GlSprintf, GlCollapsibleListbox } from '@gitlab/ui';
-import { s__, __ } from '~/locale';
+import { s__ } from '~/locale';
 import ProjectBranchSelector from 'ee/vue_shared/components/branches_selector/project_branch_selector.vue';
 import { EXCEPTION_TYPE_ITEMS, NO_EXCEPTION_KEY, EXCEPTION_KEY } from './constants';
 
@@ -8,11 +8,9 @@ export default {
   EXCEPTION_TYPE_ITEMS,
   NO_EXCEPTION_KEY,
   i18n: {
-    exceptionText: s__(
-      'SecurityOrchestration|with %{exceptionType} %{preposition} %{branchSelector}',
-    ),
+    exceptionText: s__('SecurityOrchestration|with %{exceptionType} on %{branchSelector}'),
+    noExceptionText: s__('SecurityOrchestration|with %{exceptionType}'),
     branchSelectorHeader: s__('SecurityOrchestration|Select exception branches'),
-    preposition: __('on'),
   },
   name: 'BranchExceptionSelector',
   components: {
@@ -34,8 +32,10 @@ export default {
     };
   },
   computed: {
-    hasExceptions() {
-      return this.selectedExceptionType === EXCEPTION_KEY;
+    exceptionText() {
+      return this.selectedExceptionType === EXCEPTION_KEY
+        ? this.$options.i18n.exceptionText
+        : this.$options.i18n.noExceptionText;
     },
   },
   methods: {
@@ -51,7 +51,7 @@ export default {
 
 <template>
   <div class="gl-display-flex gl-align-items-center gl-gap-3">
-    <gl-sprintf :message="$options.i18n.exceptionText">
+    <gl-sprintf :message="exceptionText">
       <template #exceptionType>
         <gl-collapsible-listbox
           :items="$options.EXCEPTION_TYPE_ITEMS"
@@ -60,15 +60,8 @@ export default {
         />
       </template>
 
-      <template #preposition>
-        <span v-if="hasExceptions" data-testid="exception-preposition">
-          {{ $options.i18n.preposition }}
-        </span>
-      </template>
-
       <template #branchSelector>
         <project-branch-selector
-          v-if="hasExceptions"
           class="gl-max-w-48"
           :header="$options.i18n.branchSelectorHeader"
           :text="$options.i18n.branchSelectorHeader"
diff --git a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/license_scan_rule_builder.vue b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/license_scan_rule_builder.vue
index e5e981552a0eef..766b1b7817d326 100644
--- a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/license_scan_rule_builder.vue
+++ b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/license_scan_rule_builder.vue
@@ -5,6 +5,7 @@ import BranchExceptionSelector from 'ee/security_orchestration/components/branch
 import PolicyRuleBranchSelection from 'ee/security_orchestration/components/policy_editor/scan_result_policy/policy_rule_branch_selection.vue';
 import PolicyRuleMultiSelect from 'ee/security_orchestration/components/policy_rule_multi_select.vue';
 import { NAMESPACE_TYPES } from 'ee/security_orchestration/constants';
+import glFeatureFlagsMixin from '~/vue_shared/mixins/gl_feature_flags_mixin';
 import ScanFilterSelector from '../scan_filter_selector.vue';
 import { SCAN_RESULT_BRANCH_TYPE_OPTIONS } from '../constants';
 import ScanTypeSelect from './base_layout/scan_type_select.vue';
@@ -28,6 +29,7 @@ export default {
     ScanTypeSelect,
     StatusFilter,
   },
+  mixins: [glFeatureFlagsMixin()],
   inject: ['namespaceType'],
   props: {
     initRule: {
@@ -46,7 +48,7 @@ export default {
   },
   licenseStatuses: LICENSE_STATES,
   computed: {
-    isProjectNamespace() {
+    isProject() {
       return this.namespaceType === NAMESPACE_TYPES.PROJECT;
     },
     branchExceptions() {
@@ -75,9 +77,6 @@ export default {
     setBranchType(value) {
       this.$emit('changed', value);
     },
-    setBranchException(value) {
-      this.triggerChanged(value);
-    },
   },
 };
 </script>
@@ -109,9 +108,9 @@ export default {
 
               <template #branchExceptions>
                 <branch-exception-selector
-                  v-if="isProjectNamespace"
+                  v-if="isProject && glFeatures.securityPoliciesBranchExceptions"
                   :selected-exceptions="branchExceptions"
-                  @select="setBranchException"
+                  @select="triggerChanged"
                 />
               </template>
             </gl-sprintf>
diff --git a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/security_scan_rule_builder.vue b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/security_scan_rule_builder.vue
index 63f2073c7253ce..169c19e915d7b6 100644
--- a/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/security_scan_rule_builder.vue
+++ b/ee/app/assets/javascripts/security_orchestration/components/policy_editor/scan_result_policy/security_scan_rule_builder.vue
@@ -4,6 +4,7 @@ import { s__ } from '~/locale';
 import { REPORT_TYPES_DEFAULT, SEVERITY_LEVELS } from 'ee/security_dashboard/store/constants';
 import { NAMESPACE_TYPES } from 'ee/security_orchestration/constants';
 import BranchExceptionSelector from 'ee/security_orchestration/components/branch_exception_selector.vue';
+import glFeatureFlagsMixin from '~/vue_shared/mixins/gl_feature_flags_mixin';
 import PolicyRuleMultiSelect from '../../policy_rule_multi_select.vue';
 import {
   ANY_OPERATOR,
@@ -55,6 +56,7 @@ export default {
     StatusFilters,
     NumberRangeSelect,
   },
+  mixins: [glFeatureFlagsMixin()],
   inject: ['namespaceType'],
   props: {
     initRule: {
@@ -81,7 +83,7 @@ export default {
     };
   },
   computed: {
-    isProjectNamespace() {
+    isProject() {
       return this.namespaceType === NAMESPACE_TYPES.PROJECT;
     },
     severityLevelsToAdd: {
@@ -163,9 +165,6 @@ export default {
     setBranchType(value) {
       this.$emit('changed', value);
     },
-    setBranchException(value) {
-      this.triggerChanged(value);
-    },
     isFilterSelected(filter) {
       return Boolean(this.filters[filter]);
     },
@@ -303,9 +302,9 @@ export default {
 
               <template #branchExceptions>
                 <branch-exception-selector
-                  v-if="isProjectNamespace"
+                  v-if="isProject && glFeatures.securityPoliciesBranchExceptions"
                   :selected-exceptions="branchExceptions"
-                  @select="setBranchException"
+                  @select="triggerChanged"
                 />
               </template>
 
diff --git a/ee/app/controllers/projects/security/policies_controller.rb b/ee/app/controllers/projects/security/policies_controller.rb
index 820c7b5ab2cf15..0c17da1696a0e1 100644
--- a/ee/app/controllers/projects/security/policies_controller.rb
+++ b/ee/app/controllers/projects/security/policies_controller.rb
@@ -9,6 +9,10 @@ class PoliciesController < Projects::ApplicationController
       before_action :authorize_modify_security_policy!, only: :edit
       before_action :validate_policy_configuration, only: :edit
 
+      before_action do
+        push_frontend_feature_flag(:security_policies_branch_exceptions, @project)
+      end
+
       feature_category :security_policy_management
       urgency :default, [:edit]
       urgency :low, [:index, :new]
diff --git a/ee/spec/frontend/security_orchestration/components/branch_exception_selector_spec.js b/ee/spec/frontend/security_orchestration/components/branch_exception_selector_spec.js
index 4b4ff431b0851a..02d15c0c379fe0 100644
--- a/ee/spec/frontend/security_orchestration/components/branch_exception_selector_spec.js
+++ b/ee/spec/frontend/security_orchestration/components/branch_exception_selector_spec.js
@@ -24,7 +24,6 @@ describe('BranchExceptionSelector', () => {
 
   const findNamespaceTypeListbox = () => wrapper.findComponent(GlCollapsibleListbox);
   const findProjectBranchSelector = () => wrapper.findComponent(ProjectBranchSelector);
-  const findExceptionPreposition = () => wrapper.findByTestId('exception-preposition');
 
   describe('default rendering states', () => {
     beforeEach(() => {
@@ -33,16 +32,12 @@ describe('BranchExceptionSelector', () => {
 
     it('should display no exception mode by default', () => {
       expect(findNamespaceTypeListbox().props('selected')).toBe(NO_EXCEPTION_KEY);
-
       expect(findProjectBranchSelector().exists()).toBe(false);
-      expect(findExceptionPreposition().exists()).toBe(false);
     });
 
     it('should display branches listbox for  exceptions', async () => {
       await findNamespaceTypeListbox().vm.$emit('select', EXCEPTION_KEY);
-
       expect(findProjectBranchSelector().exists()).toBe(true);
-      expect(findExceptionPreposition().exists()).toBe(true);
     });
   });
 
@@ -54,7 +49,6 @@ describe('BranchExceptionSelector', () => {
 
       expect(findProjectBranchSelector().props('selected')).toEqual(MOCK_BRANCHES);
       expect(findProjectBranchSelector().exists()).toBe(true);
-      expect(findExceptionPreposition().exists()).toBe(true);
     });
   });
 
diff --git a/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result_policy/license_scan_rule_builder_spec.js b/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result_policy/license_scan_rule_builder_spec.js
index 1012763283c6bd..bf2ee56aa9837c 100644
--- a/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result_policy/license_scan_rule_builder_spec.js
+++ b/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result_policy/license_scan_rule_builder_spec.js
@@ -36,6 +36,9 @@ describe('LicenseScanRuleBuilder', () => {
       },
       provide: {
         namespaceType: NAMESPACE_TYPES.GROUP,
+        glFeatures: {
+          securityPoliciesBranchExceptions: true,
+        },
         ...provide,
       },
       stubs: {
@@ -152,4 +155,18 @@ describe('LicenseScanRuleBuilder', () => {
       },
     );
   });
+
+  describe('disabled feature flag', () => {
+    it('should not render branch exceptions when feature flag is disabled', () => {
+      factory({
+        provide: {
+          glFeatures: {
+            securityPoliciesBranchExceptions: false,
+          },
+        },
+      });
+
+      expect(findBranchExceptionSelector().exists()).toBe(false);
+    });
+  });
 });
diff --git a/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result_policy/security_scan_rule_builder_spec.js b/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result_policy/security_scan_rule_builder_spec.js
index edf4a8f24b1f31..72bdea1ad4c3c3 100644
--- a/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result_policy/security_scan_rule_builder_spec.js
+++ b/ee/spec/frontend/security_orchestration/components/policy_editor/scan_result_policy/security_scan_rule_builder_spec.js
@@ -56,6 +56,9 @@ describe('SecurityScanRuleBuilder', () => {
         namespaceId: '1',
         namespaceType: NAMESPACE_TYPES.PROJECT,
         namespacePath: 'gitlab-org/test',
+        glFeatures: {
+          securityPoliciesBranchExceptions: true,
+        },
         ...provide,
       },
       stubs: {
@@ -368,4 +371,19 @@ describe('SecurityScanRuleBuilder', () => {
 
     expect(wrapper.emitted('set-scan-type')).toEqual([[getDefaultRule(SCAN_FINDING)]]);
   });
+
+  describe('disabled feature flag', () => {
+    it('should not render branch exceptions when feature flag is disabled', () => {
+      factory(
+        {},
+        {
+          glFeatures: {
+            securityPoliciesBranchExceptions: false,
+          },
+        },
+      );
+
+      expect(findBranchExceptionSelector().exists()).toBe(false);
+    });
+  });
 });
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index c350db3b9a4c7d..acaa3dfa750fd5 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -42323,7 +42323,10 @@ msgstr ""
 msgid "SecurityOrchestration|the default branch"
 msgstr ""
 
-msgid "SecurityOrchestration|with %{exceptionType} %{preposition} %{branchSelector}"
+msgid "SecurityOrchestration|with %{exceptionType}"
+msgstr ""
+
+msgid "SecurityOrchestration|with %{exceptionType} on %{branchSelector}"
 msgstr ""
 
 msgid "SecurityPolicies|Invalid or empty policy"
@@ -56003,9 +56006,6 @@ msgstr ""
 msgid "nounSeries|%{item}, and %{lastItem}"
 msgstr ""
 
-msgid "on"
-msgstr ""
-
 msgid "on or after"
 msgstr ""
 
-- 
GitLab