Add "shortest path" information when creating vulnerability from CVS

Why are we doing this work

⚠ TODO: update description based on up to date state of the code. Dependency path information is already ingested and available in the sbom occurrence DB model.

Dependency Scanning provides path data for dependencies and is presented to users via the Vulnerability Page (example: https://gitlab.com/gitlab-org/security-products/tests/js-yarn/-/security/vulnerabilities/4009367)

This data is provided via the security report today (e.g. https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/blob/master/qa/expect/js-yarn/default/gl-dependency-scanning-report.json#L9808).

However, as of Add dependency graph information to Gemnasium's... (#366168 - closed) it will come from the cyclonedx report.

This issue captures the ingestion and storage of this data in the database.

Relevant links

Issue to add path data to sbom: #366168 (closed)
Screenshot example:
Example vuln page with path data: https://gitlab.com/gitlab-org/security-products/tests/js-yarn/-/security/vulnerabilities/4009367

Non-functional requirements

Documentation:
Feature flag:
Performance:
Testing:

Proposal

Since paths are currently only used for presentation, data can be pulled in from a json column which contains a simple array of component_version ids:

sbom_component_graphs

id	sbom_source_id	sbom_component_version_id	path
1	source1	comp_ver_1	"[comp_ver_1]"
2	source1	comp_ver_2	"[comp_ver_1, comp_ver_2]"
3	source1	comp_ver_3	"[comp_ver_1, comp_ver_3]"

Verification steps

Edited Oct 24, 2024 by Olivier Gonzalez