Skip to content

Draft: Trigger vulnerability scanning on CycloneDX report uploads

What does this MR do and why?

This MR changes the way that security reports are detected. Before the change to continuous vulnerability scanning, individual reports were used per analyzer. With the move to SBOM based scans, we are no longer using this format, and are now instead sourcing our findings from the SBOMs instead. This MR introduces the first change in this direction by considering security reports created by the Gitlab::VulnerabilityScanning::SbomScanner.report method in addition to the artifacts uploaded, e.g. dependency_scanning, dast, sast, etc.

There are a couple of areas where this is done:

  • The Ci::Build class
  • The Ci::Pipeline class
  • The Ci::JobArtifact class
  • The Ci::MergeRequest class
  • The Security::StoreScansService class

Relates to #398627 Closes #395704 (closed)

This MR is the first in a series of related changes:

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Oscar Tovar

Merge request reports