Exclude Gemnasium's Dependency Scanning reports when scanning SBOM components
Why are we doing this work
As Continuous Scans for Dependency Scanning becomes the source of vulnerabilities, vulnerabilities listed in Dependency Scanning should no longer be ingested.
This behavior is enabled by the feature flag that enables Continuous Scans.
Relevant links
Non-functional requirements
-
Documentation: Part of Document vulnerability scanning of CycloneDX files (#416074 - closed) -
Feature flag: dependency_scanning_using_sbom_reports(#395692 (closed)) -
Performance: Add dashboard for monitoring logs and link to resource consumption monitoring. Need to investigate if possible to get baseline metrics to compare against. Some sample data in terms of latency, allocations, and cpu consumption with the artifact based approach can be helpful. -
Testing: Update existing specs to cover both states of the FF
Proposal
Don't ingest Dependency Scanning report when dependency_scanning_using_sbom_reports is enabled.
Implementation plan
Steps
- Create a feature flag named
dependency_scanning_using_sbom_reports - Update the
StoreScansService#grouped_report_artifactsmethod to exclude security reports produced by the gemnasium-dependency_scanning, gemnasium-maven-dependency_scanning, or gemnasium-python-dependency_scanning jobs when the FF is enabled for the project. Example in #398627 (comment 1451996695)- These are the names of the official names of the dependency scanning jobs supported by GitLab, so excluding these means that we only ingest the SBoM reports and not the DS reports. As a safety measure, this means that we can safely reuse the dependency scanning jobs if we turn off the FF.
Test Cases
| FF enabled? | Has gemnasium dependency scanning job(s)? | Has third party job(s)? | Result |
|---|---|---|---|
| Synthetic security reports for SBoMs + artifact security reports for third party jobs | |||
| Artifact security reports for third party jobs | |||
| No security reports | |||
| Artifact security reports for gemnasium + third party jobs | |||
| Artifact security reports for third party jobs | |||
| No security reports |
Verification steps
This is similar to #395704 (closed), but we no longer override the Dependency Scanning to skip the DS reports.
Feature test
To be tested an instance that's been synced up with the advisory database (#417191 (closed)).
- Set up a project compatible with GitLab Dependency Scanning (DS).
- Enable the feature for that project.
- Update the CI config for the default branch.
- Include the DS CI template
Override DS jobs so that they only upload CycloneDX SBOMs, and not the DS reports.- This triggers a pipeline for the default branch.
- Check
Securitytab of the pipeline page. - Check vulnerability report.
- Check dependency list.
- Create an MR that adds DS vulnerabilities.
- Check security MR widget (diff of DS vulnerabilities).
- Merge the MR.
- Check the new vulnerability report.
- Check the new dependency list.
Non-regression tests
Non-regression test for Container Scanning
- Set up a project compatible with both Container Scanning (CS) and Dependency Scanning (DS).
- Enable the feature for that project.
- Update the CI config for the default branch.
- Include CI templates for both CS and DS.
- Override DS jobs so that they only upload CycloneDX SBOMs, and not the DS reports.
- This triggers a pipeline for the default branch.
- Check
Securitytab of the pipeline page. - Check vulnerability report.
- Check dependency list.
Edited by Fabien Catteau