Export the advisory vendor status from PMDB

Why are we doing this work

To implement features based on the vendor status for a given advisory, this information must be made available to the rails platform. For instance, to filter which Container Scanning findings should be created based on the vendor status (unknown, fixed, not_affected, etc.). See epic for more details: Support CS_IGNORE_STATUSES in Continuous Vulner... (&15362)

The first step to achieve this is to store this value in the PMDB when syncing the Trivy-DB source. This is tracked in Sync the advisory vendor status from Trivy-DB i... (#498301)

This issue focuses on the second step which is to add this property to the NDJSON exports we generate in the GCP buckets: https://gitlab.com/gitlab-org/security-products/license-db/license-exporter/-/blob/main/data/trivy/trivy.go

Before rolling out this change, we should cautiously consider the impact of updating all Trivy advisories at once. This will likely cause all these advisories to be re-exported, meaning the GitLab rails instances (gitlab.com, dedicated, and self-managed) will re-sync them all.

Relevant links

Non-functional requirements

  • Documentation:
  • Feature flag:
  • Performance:
  • Testing:

Implementation plan

Verification steps

Edited by Olivier Gonzalez