Skip to content

Add support for security findings into pipeline security tab

Why are we doing this work

There is a need for displaying sbom-based security findings on the pipeline security tab.

Different from Update MR widget to consider sbom based securit... (#490333 - closed) • Oscar Tovar • Backlog, this one would require sbom related security findings to be fetched as part of the findings_finder, which implies that Security::Finding would be persisted. Therefore, the ingestion might require changes around store_grouped_scans_service and store_scans_service in order to have sbom report data ingested. Another possible approach is to have the sbom data loaded as security report and reuse the whole of the ingestion flow as is.

Relevant links

Non-functional requirements

  • Documentation:
  • Feature flag:
  • Performance:
  • Testing:

Potential solution (Based on this PoC)

The implementation for this issue will probably fit between somewhere between adding cyclonedx 100% into the security reports logic (from parser, job artifacts and etc..) and replicating everything that is done for security reports for sbom reports.

This PoC falls somewhere in the middle as it updates some of the existing ingestion logic to include cyclonedx reports, the two existing related graphql endpoints and their respective frontend code.

Implementation plan

MR 1: Update security_report_builder to gather vulnerabilities for affected packages

  • See diff for concept.

MR 2: Trigger vulnerability creation on SBOM ingestion when FF is enabled.

  • Add FF dependency_scanning_for_pipelines_with_cyclonedx_reports
  • Update the #security_reports scope to include cyclonedx in the allowed file types when the FF is enabled.
  • Update the #security_report method so that it converts cyclonedx reports to a security report using the updated security_report_builder.
  • Update the security report file types
  • Update the GraphQL types and the related constants.

Verification steps

  1. Enable the FF for project/group
  2. Run a job in an MR that uploads a CycloneDX report.
    • The report must have components that have a corresponding vulnerability in the PMDB.
  3. Navigate to the Security tab for the pipeline, and verify that the vulnerabilities for CVS are displayed.
  4. In a separate project with the FF disabled, run a job in an MR that uploads the same CycloneDX report as before.
  5. Navigate to the Security tab for the pipeline, and verify that the vulnerabilities for CVS are not displayed.
Edited by Oscar Tovar