Skip to content

Update vulnerable SBOM occurrences after scanning an SBOM file

Why are we doing this work

As we want to replace the ingestion of Dependency Scanning security report artifact with the Dependency Scan of SBOM files, we must the required functionalities are kept.

Currently, for a given pipeline the security reports are always ingested prior to the SBOM reports. Then when ingesting SBOM report, we mark vulnerable occurrences and link them to the corresponding vulnerabilities.

Though, in the process of Dependency Scanning for SBOM files, the security scanning is done after the SBOM ingestion, and asynchronously:

  • the Sbom ingestion process publishes the Sbom::SbomIngestedEvent event when it completes
  • the Sbom::ProcessVulnerabilitiesWorker listen to the event and execute the Sbom::CreateVulnerabilitiesService

This means the latest DS vulnerabilities will be created after we've tried to update vulnerable sbom occurrence.

We must ensure IngestOccurrencesVulnerabilities logic is also called after the security scan of SBOM files is completed.

NB: this logic is also missing during the CVS on advisory change process. Though this can be addressed in a follow-up issue if necessary.

Relevant links

Non-functional requirements

  • Documentation:
  • Feature flag:
  • Performance:
  • Testing:

Implementation plan

Verification steps

  1. Create a project with the following files:

.gitlab-ci.yml

gl-sbom-npm-npm.cdx.json

  1. Run the pipeline on the default branch

  2. Before having the FF enabled, dependency list page will display the following: Screenshot_2025-02-03_at_19.09.02

  3. Enable update_sbom_occurrences_vulnerabilities_on_cvs FF and run a new pipeline on the default branch.

  4. Dependency list page will display the following: Screenshot_2025-02-03_at_19.11.26

Edited by Zamir Martins