Create an event when an SBOM is ingested that will trigger CVS
Introduction
Currently CVS is triggered when a new advisory gets detected. The rails backend will find projects with potential affected packages and if their versions are indeed affected it will create the respective vulnerability.
However, we do not create a vulnerability when:
- the version of a package is changed and hence affected by existing advisories
- a new package is added that is affected by existing advisories
Proposal
Vulnerabilities are added to or removed from a project whenever its SBOMs change. We can achieve this by triggering CVS on SBOM changes.In order to achieve that we need an event that will trigger a worker that in his turn will initiate CVS.
Implementation Plan
-
Create IngestedSbomEvent
. This is an event published by the::Sbom::Ingestion::IngestReportsService
once the SBOM ingestion is completed. The event should contain thepipeline_id
. Given thepipeline_id
we can find all the relatedsbom_occurrences_id
without adding them in the event itself. The event should be published only after the SBOM ingestion is complete (so within the then function).
IngestedSbomEvent
and a new event file: app/events/sbom/ingested_sbom_event.rb
# frozen_string_literal: true
module Sbom
class IngestedSbomEvent < ::Gitlab::EventStore::Event
def schema
{
'type' => 'object',
'properties' => {
'pipeline_id' => { 'type' => 'integer' }
},
'required' => %w[pipeline_id]
}
end
end
end
-
Create a Feature Flag for the whole feature of triggering CVS on SBOM ingestion -
Publish an event after ingesting the SBOM.
Publish event
We should probably also add a check on the feature flag. In other words publish the even if and only if there are ingested_ids
and the feature flag is enabled.
index 6c034dd47a0d..c3687dc3e337 100644
--- a/ee/app/services/sbom/ingestion/ingest_reports_service.rb
+++ b/ee/app/services/sbom/ingestion/ingest_reports_service.rb
@@ -12,7 +12,14 @@ def initialize(pipeline)
end
def execute
- ingest_reports.then { |ingested_ids| delete_not_present_occurrences(ingested_ids) }
+ ingest_reports.then do |ingested_ids|
+ delete_not_present_occurrences(ingested_ids)
+ unless ingested_ids.empty?
+ Gitlab::EventStore.publish(
+ Sbom::IngestedSbomEvent.new(data: { pipeline_id: pipeline.id })
+ )
+ end
+ end
-
Write rspec related tests
Edited by Nick Ilieskou