Add worker to scan newly ingested advisories

Why are we doing this work

After a new advisory is ingested, it needs to be matched against the SBOM component corpus in order to find vulnerable components.

This issue covers the follwing:

• Publish an EventStore event on ingestion.
• React to that event by trigger a new scan worker.
• Execute the scan service from that worker.

An advisory is ingested after being added to the advisory database, or after being updated. The scan worker and underlying scan service shouldn't assume that the advisory being processed is a new one.

Relevant links

Non-functional requirements

• Documentation:
• Feature flag: dependency_scanning_on_advisory_ingestion
• Performance:
• Testing:

Implementation plan

Tasks are all backend:

• Add an EventStore event to publish newly ingested advisories (following https://docs.gitlab.com/ee/development/event_store.html).
  • Add event for newly ingested advisories.
    • PackageMetadata::IngestedAdvisoryEvent to app/events/package_metadata/
    • Event is an object with required int advisory_id.
  • Add event subscriber.
    • Add PackageMetadata::AdvisoryScanWorker under https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/workers/package_metadata.
      • Includes Gitlab::EventStore::Subscriber.
      • Implements handle_event.
      • Hydrates PackageMetadata::Advisory using event.advisory_id.
      • Executes the scanning service implemented in Add service to match new advisory against the S... (#371065 - closed) with advisory as argument.
  • Register subscriber.
    • Add store.subscribe ::PackageMetadata::AdvisoryScanWorker, to: ::PackageMetadata::IngestedAdvisoryEvent to https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/event_store.rb.
  • Emit event on ingestion (this requires more code change and more testing so should probably be a separate MR).
    • Update PackageMetadata::Ingestion::Advisory::AdvisoryIngestionTask to return ingested advisory_ids by returning the data stored in @advisory_map https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/services/package_metadata/ingestion/advisory/ingestion_service.rb#L25
    • After ingestion PackageMetadata::SyncService emits one event for each advisory id.
    • Add feature flag package_metadata_advisory_scans to emit event when enabled.

Verification steps