Skip to content

Add configuration options to disable SBOM based features (CVS)

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Release notes

Problem to solve

As we move from CI based security scans to SBOM based security scans in the rails platform, there is no opportunity for users to disable some features that are enabled automatically when an SBOM is provided.

Indeed, as soon as a compatible SBOM report artifact is provided via a CI job, it will automatically enable several features:

  • Dependency list (Group level and Project level)
  • License Scanning of CycloneDX files
  • Continuous Vulnerability Scanning (scan when a new Advisory is published)
    • for Dependency Scanning package types
    • for Container Scanning package types
    • for Container Scanning for the Container Registry
  • Security Scanning of SBOM files (Similar to the legacy Dependency Scanning and Container Scanning) this will be disabled with Disable DS Scan on SBOM report after pipeline c... (#546429) once DS using SBOM GA is completed.
    • for Dependency Scanning package types (Application packages)
    • ~~for Container Scanning package types (Operating System packages) ~~

Though, some customers might want only some of these features enabled for their project. For instance, a user might want the Dependency List to be populated but they have their own Dependency Scanning solution and provide security report artifact to populate the Vulnerability Management system. Currently, there is no possibility to disable the built-in Dependency Scanning feature when ingesting the SBOM report, nor the Continuous Vulnerability Scanning. These features might not follow the configuration that the customer has done for its provided DS solution and thus create vulnerabilities they don't want.

Proposal

In the Security Configuration page we should add new toggles to allow for a granular enablement of the features. Following our working by default philosophy, the toggles default value should be "enabled". Here is a list of toggles we could add:

  • CVS on advisory changes for DS purl types
  • CVS on advisory changes for CS purl types
  • License Scanning

TBD:

  • is it worth distinguishing CS and DS purl types in CVS related features?
  • is it relevant to add a toggle for the dependency list?

Intended users

Feature Usage Metrics

Does this feature require an audit event?

Edited by 🤖 GitLab Bot 🤖