[CS For Registry] Set report_type to CONTAINER_SCANNING_FOR_REGISTRY for sbom vulnerabilities
Description
- During vulnerability ingestion by advisory scanner, set the vulnerability report type(vulnerability.report_type) to CONTAINER_SCANNING_FOR_REGISTRY.
- After this step, vulnerabilities returned by
report_type: CONTAINER_SCANNING
should not have these vulnerabilities. - This is only required for vulnerabilities created by SBOM under this issues
User Impact
No direct user impact as this is a backend implementation. Although, make sure that user does not see the vulnerabilities created by registry event in development or OCS vulnerability tab.
Non-functional requirements
-
Benchmarking: Assess the performance impact of using the newly introduced data for filtering. -
Testing: Add unit tests/specs.
Implementation plan
- Add new enum container_scanning_for_registry
ee/app/models/concerns/ee/enums/vulnerability.rb
- set report_type to sbom_source.source_type in
ee/lib/gitlab/vulnerability_scanning/container_scanning/finding_builder.rb
- In finding builder
ee/lib/gitlab/vulnerability_scanning/finding_builder.rb
add support for container_scanning_for_registry
Verification steps
- Ingest a SBOM report with
metadata.tools
as registry event set as a part of [CS For Registry] Set SBOM occurrence source to... (#443634 - closed) - Verify that db records are created as per the requirements.
- Run advisory scanner and report parser.
- Verify that the vulnerabilities are created with report_type: CONTAINER_SCANNING_FOR_REGISTRY
Edited by Aditya Tiwari