Instructions to demo advisory scans

Why are we doing this work

There are few technical tasks involved in running a demo of Continuous Vulnerability Scanning (CVS) on GitLab Advisory DB (GLAD) changes. These tasks need to be documented so that any team member can demo the feature.

See &11474 (comment 1586211475)

Further details

On a fresh self-managed instance, we can do the following:

1. Disable the advisories sync by creating the vendor/package_metadata/advisories directory before enabling an Ultimate license. See https://docs.gitlab.com/ee/topics/offline/quick_start_guide.html#enabling-the-package-metadata-database
2. Import a project that will match the advisories we're going to import.
3. Run a pipeline for this project, so that its SBOM components are ingested.
4. Unpack NDJSON export files in vendor/package_metadata/advisories.
5. Load the Ultimate license.
6. Sync with vendor/package_metadata/advisories.
   • On production, this should happen automatically every 5 minutes.
   • On development, this has to be triggered manually from the console. The environment variable PM_SYNC_IN_DEV must be to true otherwise the sync is skipped.
7. Wait for the advisory scan jobs to be completed.
8. Check the vulnerability report of the project created earlier.

The instructions for Performance test of advisory scans (#423578 - closed) are a good starting point.

See also #419550 (closed)

Implementation plan

• Share instructions and resources to run a demo.
• Share screenshots and/or video.