Scan newly ingested SBOM components of default branch
Why are we doing this work
After ingesting new CycloneDX SBOMs for the default branch, SBOM components need to be compared against known advisories, and vulnerabilities need to be ingested.
Ingesting vulnerabilities for the default branch involves many tasks all handled by ::Security::Ingestion::IngestReportSliceService
.
This behavior is enabled by the feature flag that enables Continuous Scans.
This issue covers adding the trigger, worker and queue for initiating this process.
Detecting vulnerabilities in a pipeline is covered by Match SBOM components to known advisories (#371055 - closed).
NOTE: The processing that applies to any pipeline of any branch is covered by Store security findings detected in SBOMs when ... (#395704 - closed).
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: TBD in #395692 (comment 1334543307) -
Performance: -
Testing: rspec unit tests
Implementation plan
The implementation plan leverages the GitLab EventStore to decouple the subscribers from the events.
-
Add a new event to trigger scan of new SBoM components of default branch class VulnerabilityScanning::NewSbomComponentsEvent < Gitlab::EventStore::Event def schema { "type" => "object", "required" => ["pipeline_id"], "properties" => { "pipeline_id" => { "type" => "integer" }, } } end end
-
Create a new subscriber to perform upserts e.g. VulnerabilityScanning::UpsertVulnerabilitiesWorker
-
Create a new subscriber to mark vulnerabilities as resolved e.g. VulnerabilityScanning::MarkAsResvolvedWorker
-
Publish a VulnerabilityScanning::NewSbomComponentsEvent
at the end of#perform
for the worker implemented in Store security findings detected in SBOMs when ... (#395704 - closed). This should only occur when the pipeline belongs to the default branch -
Subscribe the VulnerabilityScanning::UpsertVulnerabilitiesWorker
andVulnerabilityScanning::MarkAsResolvedWorker
to theVulnerabilityScanning::NewSbomComponentsEvent
event.
Verification steps
-
Create an empty test project that has the dependency scanning template enabled. -
Open an MR that adds a vulnerable test project setup. A project from the security-products/tests group can be used to source this setup. -
Verify that the security MR widget and security tab for the pipeline shows the new security findings. -
If Show vulnerability findings created by Continuo... (#398628 - closed) has not been completed, verify that the findings have been created using the rails console.
-
-
Before merging the MR, verify that the vulnerability report shows no vulnerabilities. Merge the MR and verify that the findings have been converted to vulnerabilities. -
If Show vulnerability findings created by Continuo... (#398628 - closed) has not been completed, verify that the transition occurs for the project using the rails console.
-