CVS updates vulnerabilities when affected range is unchanged (no upsert)

Release notes

Problem to solve

When a security advisory is ingested into the Rails backend, Continuous Vulnerability Scanning (CVS) upserts vulnerabilities in projects. To save resources and speed up scans, CVS could instead update existing vulnerabilities when the advisory being ingested already exists, and when the affected packages and version ranges haven't changed.

Proposal

When syncing the backend with the Package Metadata DB and ingesting advisories, publish a distinct even when an advisory is updated but the affected package and its affected versions don't change. In that case, update the existing vulnerabilities in projects instead of upserting them.

Further details

https://gitlab.com/gitlab-org/gitlab/-/blob/8ee03240ec604443ace43ed1be666d8e505c7a12/ee/app/services/security/vulnerability_scanning/create_vulnerability_service.rb#L33
https://gitlab.com/gitlab-org/gitlab/-/blob/8ee03240ec604443ace43ed1be666d8e505c7a12/ee/lib/gitlab/vulnerability_scanning/advisory_scanner.rb#L109
https://gitlab.com/gitlab-org/gitlab/-/blob/68b43fa1730ad5e9a6415a4626732d109e566aa5/ee/app/services/package_metadata/ingestion/advisory/ingestion_service.rb#L39-42

Intended users

Feature Usage Metrics

Does this feature require an audit event?

Edited Nov 27, 2023 by Fabien Catteau