Define process and tools to publish advisories to Gemnasium DB, try to automate the process
Problem to solve
With #11169 (closed) we made the Gemnasium DB content publicly visible and open for contribution. Though, this contribution is limited to opening MRs that need to be reviewed and processed manually by the ~Secure team to publish this data to the real Gemnasium DB (PostgreSQL). This publication process is manual and not fully documented yet.
So we need to define the process to publish these advisories to the PG database, organize the tools we are leveraging to to do this and eventually come up with some automations for the MRs created on gemnasium-db project to ease the process.
Intended users
- GitLab team members, particularly ~Secure team for now.
Further details
This iteration goals are:
- Detail the process of publishing an advisory added to gemnasium-db project to the Gemnasium PostgreSQL DB.
- Define how to organize the tools we leverage to publish advisories
- Leverage the tools and defined process to try to automate the publication process with CI pipelines.
Proposal
-
Create a new public project security-products/gemnasium-db-toolbox:-
Add our tools' code gitlab-org/security-products/gemnasium-db-toolbox!1 (merged) -
Document publication process/workflow gitlab-org/security-products/gemnasium-db-toolbox!2 (merged) -
Add License gitlab-org/security-products/gemnasium-db-toolbox!3 (merged)
-
-
Add a link to gemnasium-db-toolbox to gemnasium gitlab-org/security-products/gemnasium-db!19 (merged) -
Automate the publication process by leveraging the tools in the CI pipelines of gemnasium-db project=> follow-up issue
What does success look like, and how can we measure that?
~Secure team members can publish advisories to the Gemnasium PostgreSQL DB.
- How many advisories are published to the Gemnasium PostgreSQL DB.
What is the type of buyer?
Links / references
Edited by Fabien Catteau