Spike: Identify best approach for marking vulnerabilities resolved in child pipelines
Time-box: 4 days
The purpose of this spike is to determine the simplest way to handle the child pipeline bug described in #393305 (closed)
At the time of writing, vulnerabilities are marked for resolution during the ingestion of a security report on the pipeline. The vulnerabilities to mark as resolved are calculated by comparing the list of vulnerabilities just detected by the scanner against the full list of vulnerabilities on the project. This list is filtered to those produced by the same scanner. Any vulnerabilities listed on the project of the given type that are not found in the current scan are marked as resolved.
This mechanism is problematic if the same scanner runs twice in different pipeline processes, i.e. child pipelines. In this case a race condition occurs where none of the vulnerabilities of the first scan to finish are detected by the last scan to finish. Therefore all of the vulnerabilities from the first scan are marked as resolved.
Presently the pipeline execution looks something like this. There is no way currently based on the scanner alone for each pipeline to reliably access the vulnerabilities generated by the other pipeline in the Mark Resolved step.
flowchart
pp[Parent Pipeline] --> cp1[Child Pipeline]
pp --> cp2[Child Pipeline]
cp1 --> ss1[Store Scans]
cp2 --> ss2[Store Scans]
ss1 --> ir1[Ingest Reports]
ss2 --> ir2[Ingest Reports]
ir1 --> mr1[Mark Resolved]
ir2 --> mr2[Mark Resolved]
Potential solutions
To work a solution with the mechanism used currently, we will need to somehow trigger the resolution step once all scans have finished.
One proposed solution is to wait until all reports are stored before the ingestion step.
flowchart
pp[Parent Pipeline] --> cp1[Child Pipeline]
pp --> cp2[Child Pipeline]
cp1 --> ss1[Store Scans]
cp2 --> ss2[Store Scans]
ss1 --> x
ss2 --> x
x --> ir1[Ingest Reports]
ir1 --> mr1[Mark Resolved]
Or alternatively wait for all ingestion steps to complete before marking vulnerabilities as resolved.
flowchart
pp[Parent Pipeline] --> cp1[Child Pipeline]
pp --> cp2[Child Pipeline]
cp1 --> ss1[Store Scans]
cp2 --> ss2[Store Scans]
ss1 --> ir1[Ingest Reports]
ss2 --> ir2[Ingest Reports]
ir1 --> x
ir2 --> x
x --> mr1[Mark Resolved]
In both these cases we need a mechanism at x
to wait until the relevant pipelines have finished.
Expected outcomes
- An issue describing the proposed solution