Show SBOM ingestion errors on the project level vulnerability report page
Why are we doing this work
With #364709 (closed), we added the ability for GitLab to ingest CycloneDX SBoMs. Currently, SBoMs are validated and the warnings + errors from schema validation are collected, but there is no way to show those errors to the end user.
The vulnerability report page is able to display a brief message when the most recent pipeline for the default branch encounters some ingestion issues with the relevant reports. SBOM ingestion errors could impact the vulnerablity report by preventing Continuous Vulnerability Scans to create vulnerabilities so it will be useful to surface them here.
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
Implementation plan
- BE (might already be done with #471317 (closed), depending on order of implementation): Store the ingestion errors for each pipeline in redis ( 1 redis key:value per pipeline) with a TTL of 30 days (to be adjusted if necessary). NB: we could go with storing errors only for the most recent pipeline for the purpose of this issue, but other needs will require to have it per pipeline so we're going with that. This logic can be added to the IngestReportsService like the
set_latest_ingested_sbom_pipeline_id
method call. - BE: expose the latest sbom pipline's
has_errors
boolean value in the dashboard setup data (project_helper.rb) - FE: the code is already ready to receive the error data. Though, the current UI seems to have a little glitch and the message is not displayed properly (see below). Let's try to fix it.
Verification steps
Edited by Olivier Gonzalez