Static reachability is being propagated after the ingestion

Summary

Static reachability is not being properly updated because Sbom::OccurrencesVulnerability is not being properly populated during the SBoM ingestion process. This results in vulnerabilities not being associated with dependencies in the dependency list, and consequently, reachability information is not propagated correctly.

Steps to reproduce

  1. Configure a project with dependency scanning that generates SBoM reports with reachability data
  2. Run the security pipeline
  3. Check the dependency list for vulnerabilities associated with dependencies
  4. Observe that Sbom::OccurrencesVulnerability records are missing or incomplete

Example Project

https://gitlab.com/gitlab-org/secure/tests/nilieskou/static-reachability-demo

What is the current bug behavior?

  • Reachability information is not properly updated
  • Sbom::OccurrencesVulnerability is not properly populated
  • Vulnerabilities are not associated with dependencies in the dependency list

What is the expected correct behavior?

  • Sbom::OccurrencesVulnerability should be properly populated during SBoM ingestion
  • Vulnerabilities should be correctly associated with their corresponding dependencies
  • Reachability information should be accurately reflected in the dependency list

Root Cause

The issue is caused by filtering logic in Sbom::Ingestion::VulnerabilityData#fetch_vulnerabilities_info that filters out vulnerability occurrences where resolved_on_default_branch is set to true.

By the time vulnerability_occurrences are fetched during the ingestion process in Sbom::Ingestion::Tasks::IngestOccurrences, these records already have resolved_on_default_branch set to true, causing them to be filtered out and preventing proper population of Sbom::OccurrencesVulnerability.

This filtering behavior may be related to changes introduced in Remove feature flag to hide no longer detected ... (!208218 - merged).

Relevant logs and/or screenshots

When the filtering logic is updated locally, the expected behavior is achieved with proper vulnerability associations and reachability information displayed in the dependency list.

Possible fixes

Update the filtering logic in Sbom::Ingestion::VulnerabilityData#fetch_vulnerabilities_info to handle the timing of when resolved_on_default_branch is set, ensuring that vulnerability occurrences are not incorrectly filtered out during the SBoM ingestion process.

Related Issues

Edited by 🤖 GitLab Bot 🤖