CVS updates vulnerabilities when affected range is unchanged (no upsert)
Release notes
Problem to solve
When a security advisory is ingested into the Rails backend, Continuous Vulnerability Scanning (CVS) upserts vulnerabilities in projects. To save resources and speed up scans, CVS could instead update existing vulnerabilities when the advisory being ingested already exists, and when the affected packages and version ranges haven't changed.
Proposal
When syncing the backend with the Package Metadata DB and ingesting advisories, publish a distinct even when an advisory is updated but the affected package and its affected versions don't change. In that case, update the existing vulnerabilities in projects instead of upserting them.
Further details
- https://gitlab.com/gitlab-org/gitlab/-/blob/8ee03240ec604443ace43ed1be666d8e505c7a12/ee/app/services/security/vulnerability_scanning/create_vulnerability_service.rb#L33
- https://gitlab.com/gitlab-org/gitlab/-/blob/8ee03240ec604443ace43ed1be666d8e505c7a12/ee/lib/gitlab/vulnerability_scanning/advisory_scanner.rb#L109
- https://gitlab.com/gitlab-org/gitlab/-/blob/68b43fa1730ad5e9a6415a4626732d109e566aa5/ee/app/services/package_metadata/ingestion/advisory/ingestion_service.rb#L39-42
Intended users
Feature Usage Metrics
Does this feature require an audit event?
Edited by Fabien Catteau