Mismatch between name for trivy db between GitLab instance and license-db exporter
Summary
The exporter exports trivy db advisories with the type trivy-db
.
The advisory model in the rails instance only accepts the types glad
and trivy
.
- model https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/models/package_metadata/advisory.rb#L14
- enum https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/models/concerns/enums/package_metadata.rb#L7
Ingestion throws an error when advisory sync reaches the trivy
purl_types: https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/models/concerns/enums/sbom.rb#L18-22
Note that the glad
purl_types succeed because they come first in the sync order.
Steps to reproduce
- Get an export file
- Checkout master branch
- Try to instantiate a
PackageMetadata::Advisory
fromPackageMetadata::AdvisoryDataObject
using the data above
Run the following script for an automation of these steps: bundle exec rails runner validate_locally.rb
validate_locally.rb:
require 'json'
require 'net/http'
require 'uri'
t = Time.now
export_file = 'https://storage.googleapis.com/prod-export-advisory-bucket-1a6c642fc4de57d4/v2/wolfi/1700812896/000000000.ndjson'
advs = Net::HTTP.get URI(export_file)
advs.each_line do |adv_str|
adv_hash = JSON.parse(adv_str)
data_object = PackageMetadata::AdvisoryDataObject.create(adv_hash, 'wolfi')
advisory = PackageMetadata::Advisory.new(
advisory_xid: data_object.advisory_xid,
source_xid: data_object.source_xid,
published_date: data_object.published_date,
title: data_object.title,
description: data_object.description,
cvss_v2: data_object.cvss_v2,
cvss_v3: data_object.cvss_v3,
identifiers: data_object.identifiers,
urls: data_object.urls,
created_at: t,
updated_at: t
)
end
Example Project
What is the current bug behavior?
Error is thrown when Advisory Sync gets to trivy
advisories (glad
advisories come first in the purl_type
list and are processed OK).
What is the expected correct behavior?
No error should be thrown and trivy
advisories should be synced.
Relevant logs and/or screenshots
Logs for the advisories sync worker https://log.gprd.gitlab.net/app/r/s/TNIn1
Example entry: https://log.gprd.gitlab.net/app/discover#/doc/AWNABDRwNDuQHTm2tH6l/pubsub-sidekiq-inf-gprd-003794?id=ipIKAowBRqPATMfg4IwI
Possible fixes
- Change advisory model:
trivy
renamed totrivy-db
- Update exporter:
trivy-db
renamed totrivy