Skip to content

Add service to match new advisory against the SBOM component corpus

Why are we doing this work

This work covers the addition of a service responsible for discovering vulnerable SBOM components, and adding vulnerabilities to the corresponding projects. This happens after a new security advisories is added to the advisory database, or when it's affected range change.

NOTE: A project might depend on multiple version of a package, so a newly ingested advisory might match multiple SBOM components of the same project.

Relevant links

Non-functional requirements

Implementation plan

Pre-requesite: Fetch SBOM components that match an advisory (#420042 - closed)

  • backend Add AdvisoryScanner to Gitlab::VulnerabilityScanning.
  • backend Add CreateVulnerabilityService. This creates a single vulnerability and vulnerability for a single affected component detected in a project.
    • Input: project, pipeline, location, affected component, advisory.
    • Build a report finding for the advisory and affected component.
    • If possible, refactor to reuse Vulnerability::FindingBuilder. #371065 (comment 1494210128)
    • Convert report finding to custom finding map (w/o security finding). See #371065 (comment 1493266758)
    • Ingest finding map using Security::Ingestion::IngestReportSliceService.

Follow-up issues

  • Ingest vulnerabilities from multiple projects at once, to improve the performance. #420768 (closed)
  • Auto-dismiss: Dismiss an existing vulnerability matching the advisory if the SBOM component version is no longer affected.

Verification steps

We have to temper with the advisories ingested by the backend to test this, so it can't be tested on production. However, it can be checked on production by adding affected dependencies right before ingesting the corresponding advisory from the GitLab Advisory Database.

On a staging environment,

  • Set up a project supported by Dependency Scanning (DS) and with vulnerable dependencies.
  • Include DS CI template, and trigger a pipeline for default branch.
  • Check vulnerabilities created from report or using SBOM-based dependency scanning findings for def... (&8026 - closed).
    • vulnerability report
    • pipeline page
  • Export a new advisory that match a project dependency. 2 options:
    • Add a new vulnerability to the License DB exports (dev).
    • Prepare a NDJSON export file, and use instructions to sync offline instances.
  • Wait for the ingestion of the new advisory.
  • Check vulnerabilities created during the ingestion.

Auto-Summary 🤖

Discoto Usage

Points

Discussion points are declared by headings, list items, and single lines that start with the text (case-insensitive) point:. For example, the following are all valid points:

  • #### POINT: This is a point
  • * point: This is a point
  • + Point: This is a point
  • - pOINT: This is a point
  • point: This is a **point**

Note that any markdown used in the point text will also be propagated into the topic summaries.

Topics

Topics can be stand-alone and contained within an issuable (epic, issue, MR), or can be inline.

Inline topics are defined by creating a new thread (discussion) where the first line of the first comment is a heading that starts with (case-insensitive) topic:. For example, the following are all valid topics:

  • # Topic: Inline discussion topic 1
  • ## TOPIC: **{+A Green, bolded topic+}**
  • ### tOpIc: Another topic

Quick Actions

Action Description
/discuss sub-topic TITLE Create an issue for a sub-topic. Does not work in epics
/discuss link ISSUABLE-LINK Link an issuable as a child of this discussion

Last updated by this job

Discoto Settings 
---
summary:
  max_items: -1
  sort_by: created
  sort_direction: ascending

See the settings schema for details.

Edited by Oscar Tovar