Skip to content

Scan newly ingested SBOM components of default branch

Why are we doing this work

After ingesting new CycloneDX SBOMs for the default branch, SBOM components need to be compared against known advisories, and vulnerabilities need to be ingested.

Ingesting vulnerabilities for the default branch involves many tasks all handled by ::Security::Ingestion::IngestReportSliceService.

This behavior is enabled by the feature flag that enables Continuous Scans.

This issue covers adding the trigger, worker and queue for initiating this process.

Detecting vulnerabilities in a pipeline is covered by Match SBOM components to known advisories (#371055 - closed).

NOTE: The processing that applies to any pipeline of any branch is covered by Store security findings detected in SBOMs when ... (#395704 - closed).

Relevant links

Non-functional requirements

Implementation plan

The implementation plan leverages the GitLab EventStore to decouple the subscribers from the events.

  • Add a new event to trigger scan of new SBoM components of default branch

    class VulnerabilityScanning::NewSbomComponentsEvent < Gitlab::EventStore::Event
  def schema
    {
      "type" => "object",
      "required" => ["pipeline_id"],
      "properties" => {
        "pipeline_id" => { "type" => "integer" },
      }
    }
  end
end

  • Create a new subscriber to perform upserts e.g. VulnerabilityScanning::UpsertVulnerabilitiesWorker

  • Create a new subscriber to mark vulnerabilities as resolved e.g. VulnerabilityScanning::MarkAsResvolvedWorker

  • Publish a VulnerabilityScanning::NewSbomComponentsEvent at the end of #perform for the worker implemented in Store security findings detected in SBOMs when ... (#395704 - closed). This should only occur when the pipeline belongs to the default branch

  • Subscribe the VulnerabilityScanning::UpsertVulnerabilitiesWorker and VulnerabilityScanning::MarkAsResolvedWorker to the VulnerabilityScanning::NewSbomComponentsEvent event.

Verification steps

Edited by Oscar Tovar