Merge branch '470835-add-pm_epss-to-gitlab-database' into 'master'

Add EPSS to GitLab database

See merge request !158908



Merged-by: Marius Bobin <mbobin@gitlab.com>
Approved-by: Bishwa Hang Rai <bhrai@gitlab.com>
Approved-by: Ian Anderson <ianderson@gitlab.com>
Approved-by: Gavin Hinfey <ghinfey@gitlab.com>
Approved-by: Marius Bobin <mbobin@gitlab.com>
Reviewed-by: Marius Bobin <mbobin@gitlab.com>
Reviewed-by: Ian Anderson <ianderson@gitlab.com>
Reviewed-by: Bishwa Hang Rai <bhrai@gitlab.com>
Co-authored-by: Yasha Rise <yrise@gitlab.com>

.rubocop_todo/gitlab/bounded_contexts.yml

@@ -3006,6 +3006,7 @@ Gitlab/BoundedContexts:
     - 'ee/app/models/package_metadata/advisory.rb'
     - 'ee/app/models/package_metadata/affected_package.rb'
     - 'ee/app/models/package_metadata/checkpoint.rb'
+    - 'ee/app/models/package_metadata/epss.rb'
     - 'ee/app/models/package_metadata/license.rb'
     - 'ee/app/models/package_metadata/package.rb'
     - 'ee/app/models/package_metadata/package_version.rb'

db/docs/pm_epss.yml

+---
+table_name: pm_epss
+classes:
+- PackageMetadata::Epss
+feature_categories:
+- software_composition_analysis
+- container_scanning
+description: Stores EPSS data (https://www.first.org/epss/).
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158908
+milestone: '17.3'
+gitlab_schema: gitlab_sec
+exempt_from_sharding: true  # See discussion on keys for pm_ tables https://gitlab.com/gitlab-org/gitlab/-/issues/434988#note_1827421068

db/migrate/20240806080238_create_package_metadata_epss.rb

+# frozen_string_literal: true
+
+class CreatePackageMetadataEpss < Gitlab::Database::Migration[2.2]
+  milestone '17.3'
+
+  def change
+    create_table :pm_epss do |t|
+      t.float :score, null: false
+      t.timestamps_with_timezone null: false
+      t.text :cve, limit: 24, null: false, index: { unique: true }
+    end
+  end
+end

db/schema_migrations/20240806080238

+6865c7c37f109d62ad8a85c794ee5dbccbeee45397fc89bb8b4f63ff2af8b9a2
\ No newline at end of file

db/structure.sql

@@ -15298,6 +15298,24 @@ CREATE SEQUENCE pm_checkpoints_id_seq
 ALTER SEQUENCE pm_checkpoints_id_seq OWNED BY pm_checkpoints.id;
+CREATE TABLE pm_epss (
+    id bigint NOT NULL,
+    score double precision NOT NULL,
+    created_at timestamp with time zone NOT NULL,
+    updated_at timestamp with time zone NOT NULL,
+    cve text NOT NULL,
+    CONSTRAINT check_33a7364ae2 CHECK ((char_length(cve) <= 24))
+);
+
+CREATE SEQUENCE pm_epss_id_seq
+    START WITH 1
+    INCREMENT BY 1
+    NO MINVALUE
+    NO MAXVALUE
+    CACHE 1;
+
+ALTER SEQUENCE pm_epss_id_seq OWNED BY pm_epss.id;
+
 CREATE TABLE pm_licenses (
     id bigint NOT NULL,
     spdx_identifier text NOT NULL,
@@ -21574,6 +21592,8 @@ ALTER TABLE ONLY pm_affected_packages ALTER COLUMN id SET DEFAULT nextval('pm_af
 ALTER TABLE ONLY pm_checkpoints ALTER COLUMN id SET DEFAULT nextval('pm_checkpoints_id_seq'::regclass);
+ALTER TABLE ONLY pm_epss ALTER COLUMN id SET DEFAULT nextval('pm_epss_id_seq'::regclass);
+
 ALTER TABLE ONLY pm_licenses ALTER COLUMN id SET DEFAULT nextval('pm_licenses_id_seq'::regclass);
 ALTER TABLE ONLY pm_package_version_licenses ALTER COLUMN id SET DEFAULT nextval('pm_package_version_licenses_id_seq'::regclass);
@@ -24058,6 +24078,9 @@ ALTER TABLE ONLY pm_affected_packages
 ALTER TABLE ONLY pm_checkpoints
     ADD CONSTRAINT pm_checkpoints_pkey PRIMARY KEY (id);
+ALTER TABLE ONLY pm_epss
+    ADD CONSTRAINT pm_epss_pkey PRIMARY KEY (id);
+
 ALTER TABLE ONLY pm_licenses
     ADD CONSTRAINT pm_licenses_pkey PRIMARY KEY (id);
@@ -28934,6 +28957,8 @@ CREATE INDEX index_pm_affected_packages_on_pm_advisory_id ON pm_affected_package
 CREATE INDEX index_pm_affected_packages_on_purl_type_and_package_name ON pm_affected_packages USING btree (purl_type, package_name);
+CREATE UNIQUE INDEX index_pm_epss_on_cve ON pm_epss USING btree (cve);
+
 CREATE INDEX index_pm_package_version_licenses_on_pm_license_id ON pm_package_version_licenses USING btree (pm_license_id);
 CREATE INDEX index_pm_package_version_licenses_on_pm_package_version_id ON pm_package_version_licenses USING btree (pm_package_version_id);

ee/app/models/package_metadata/epss.rb

+# frozen_string_literal: true
+
+module PackageMetadata
+  class Epss < ApplicationRecord
+    include BulkInsertSafe
+
+    self.table_name = 'pm_epss'
+
+    # The 15 (total 24) character limit is abitrary. CVE IDs are not limited
+    # but we do not expect them to exceed this limit.
+    # See https://cve.mitre.org/cve/identifiers/syntaxchange.html
+    CVE_REGEX = /\ACVE-\d{4}-\d{4,15}\z/
+
+    validates :cve, presence: true, format: { with: CVE_REGEX }
+    validates :score, presence: true
+  end
+end

ee/spec/factories/package_metadata/pm_epss.rb

+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :pm_epss, class: 'PackageMetadata::Epss' do
+    cve { "CVE-1234-12345" }
+    score { 12.34 }
+  end
+end

ee/spec/models/package_metadata/epss_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe PackageMetadata::Epss, type: :model, feature_category: :software_composition_analysis do
+  using RSpec::Parameterized::TableSyntax
+
+  subject(:epss) { build(:pm_epss) }
+
+  describe 'validations' do
+    it { is_expected.to validate_presence_of(:cve) }
+    it { is_expected.to validate_presence_of(:score) }
+
+    describe 'CVE format validation' do
+      where(:attribute, :value, :is_valid) do
+        :cve | 'CVE-1234-1234'                 | true
+        :cve | 'CVE-2024-123456'               | true
+        :cve | 'CVE-12-1234'                   | false
+        :cve | 'CVE-1234-12345678901234567890' | false
+        :cve | 'IAM-NOTA-CVE!'                 | false
+      end
+
+      with_them do
+        subject(:epss) { build(:pm_epss, attribute => value).valid? }
+
+        it { is_expected.to eq(is_valid) }
+      end
+    end
+  end
+end