Skip to content

Create an event when an SBOM is ingested that will trigger CVS

Introduction

Currently CVS is triggered when a new advisory gets detected. The rails backend will find projects with potential affected packages and if their versions are indeed affected it will create the respective vulnerability.

However, we do not create a vulnerability when:

  • the version of a package is changed and hence affected by existing advisories
  • a new package is added that is affected by existing advisories

Proposal

Vulnerabilities are added to or removed from a project whenever its SBOMs change. We can achieve this by triggering CVS on SBOM changes.In order to achieve that we need an event that will trigger a worker that in his turn will initiate CVS.

Implementation Plan

  • Create IngestedSbomEvent. This is an event published by the ::Sbom::Ingestion::IngestReportsService once the SBOM ingestion is completed. The event should contain the pipeline_id. Given the pipeline_id we can find all the related sbom_occurrences_id without adding them in the event itself. The event should be published only after the SBOM ingestion is complete (so within the then function).
IngestedSbomEvent

and a new event file: app/events/sbom/ingested_sbom_event.rb

# frozen_string_literal: true

module Sbom
  class IngestedSbomEvent < ::Gitlab::EventStore::Event
    def schema
      {
        'type' => 'object',
        'properties' => {
          'pipeline_id' => { 'type' => 'integer' }
        },
        'required' => %w[pipeline_id]
      }
    end
  end
end
  • Create a Feature Flag for the whole feature of triggering CVS on SBOM ingestion
  • Publish an event after ingesting the SBOM.
Publish event

We should probably also add a check on the feature flag. In other words publish the even if and only if there are ingested_ids and the feature flag is enabled.

index 6c034dd47a0d..c3687dc3e337 100644
--- a/ee/app/services/sbom/ingestion/ingest_reports_service.rb
+++ b/ee/app/services/sbom/ingestion/ingest_reports_service.rb
@@ -12,7 +12,14 @@ def initialize(pipeline)
       end
 
       def execute
-        ingest_reports.then { |ingested_ids| delete_not_present_occurrences(ingested_ids) }
+        ingest_reports.then do |ingested_ids|
+          delete_not_present_occurrences(ingested_ids)
+          unless ingested_ids.empty?
+            Gitlab::EventStore.publish(
+              Sbom::IngestedSbomEvent.new(data: { pipeline_id: pipeline.id })
+            )
+          end
+        end
  • Write rspec related tests
Edited by Nick Ilieskou