Draft: Trigger vulnerability scanning on CycloneDX report uploads
What does this MR do and why?
This MR changes the way that security reports are detected. Before the change to
continuous vulnerability scanning, individual reports were used per analyzer. With the
move to SBOM based scans, we are no longer using this format, and are now instead
sourcing our findings from the SBOMs instead. This MR introduces the first change
in this direction by considering security reports created by the Gitlab::VulnerabilityScanning::SbomScanner.report
method in addition to the artifacts uploaded, e.g. dependency_scanning
, dast
, sast
, etc.
There are a couple of areas where this is done:
- The
Ci::Build
class - The
Ci::Pipeline
class - The
Ci::JobArtifact
class - The
Ci::MergeRequest
class - The
Security::StoreScansService
class
Relates to #398627 Closes #395704 (closed)
This MR is the first in a series of related changes:
- Draft: Add service to match SBOM components and... (!126954 - closed)
- Draft: Create vulnerability scanning SBOM scanner (!127370 - closed)
-
Draft: Trigger vulnerability scanning on Cyclon... (!127396 - closed)
👈 - Draft: Exclude gemnasium security reports when ... (!127443 - closed)
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.