Add service to match advisory affected ranges to SBOM component versions
Why are we doing this work
Because of the difficulties inherent in matching package versions against version ranges in advisories (see relevant links) it is initially best for MVC principles to do sbom_component_versions.version to vulnerability_advisories.affected_range matching in ruby code: #363073 (comment 1040916047)+
In order to facilitate this a new service is needed which can be used by callers to do matching between advisories and sbom components in their domains:
- Match SBOM components to known advisories (#371055 - closed)
- Add service to match new advisory against the S... (#371065 - closed)
This issue captures the work needed to implement this service.
Relevant links
- Use unified affected ranges in Gemnasium Vulner... (#220286)
- Assess accuracy of semver_dialects using gemnas... (#369238 - closed)
- #363073 (comment 1040916047)+
- https://gitlab.com/gitlab-org/vulnerability-research/foss/semver_dialects/-/blob/v1.1.0/lib/semver_dialects/commands/check_version.rb#L25
- https://gitlab.com/gitlab-org/security-products/tests/semver-assessment/-/blob/main/lib/vmatcher/matchers/semver.rb#L17
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing: unit tests using rspec
Implementation plan
-
add semver_dialects gem to https://gitlab.com/gitlab-org/gitlab/-/blob/master/Gemfile -
add AdvisoryAffectedComponentMatcher, namespace TBD, being discussed in #371995 (comment 1334498305)- Allow service to accept a
purl_type, arange, and aversion(strings). - Convert the
purl_typeto the types used byVersionChecker.version_translate. - Return the result
VersionChecker.version_sat?.
- Allow service to accept a
See #371995 (comment 1339267322)
Verification steps
Edited by Fabien Catteau