Sync the advisory vendor status from Trivy-DB into PMDB
Why are we doing this work
To implement features based on the vendor status for a given advisory, this information must be made available to the rails platform. For instance, to filter which Container Scanning findings should be created based on the vendor status (unknown, fixed, not_affected, etc.). See epic for more details: Support CS_IGNORE_STATUSES in Continuous Vulner... (&15362)
The first step to achieve this is to store this value in the PMDB when syncing the Trivy-DB source. Indeed, currently the status property is not part of the retained information: https://gitlab.com/gitlab-org/security-products/license-db/license-feeder/-/blob/main/data/trivy-db/trivydb.go
This information is available in the upstream data: https://github.com/aquasecurity/trivy-db/blob/32c63a9af03ffd449a6ffb4471745b6ec9714875/pkg/types/types.go#L111
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing: