Scan projects for newly reported advisories

What does this MR do and why?

This MR introduces the AdvisoryScanner class responsible for iterating through all projects with the Dependency Scanning feature, and creating a vulnerability on projects that contain a software component affected by a new advisory, e.g. a new CVE. The general process looks like the following.

This MR adds a new Sbom::PossiblyAffectedOccurrencesFinder class. It takes as input a purl_type and name of a possibly affected package and returns an ActiveRecord relation containing PossiblyAffectedComponent objects (detected in default branches of projects). This will be used by the AdvisoryScanner as part of Add service to match new advisory against the S... (#371065 (closed)).

1. New advisories are ingested.
2. For each affected package, use Sbom::PossiblyAffectedOccurrencesFinder#execute_in_batches to get a list of matching Sbom::Occurrence objects.
3. Filter down that list by matching on projects that:
   • have dependency scanning enabled
   • have a vulnerable component, i.e. their version range is within the affected range.
4. Take the final list of projects, pipeline, and components pairs, and create the vulnerabilities (with all required relations).

Step 2 is implemented as part of Add PossiblyAffectedOccurrencesFinder class (!128941 - merged) and this MR implements steps 3 and 4. This feature will not be deployed to production until [BE] Only scan projects for which continuous vu... (#424629 - closed) has been merged. This last issue ensures that we can selectively enable the feature to projects. Lastly, the advisory scanner only receives the advisories that have been published within the last 14 days (!130469 (comment 1539144988)).

Closes #371065 (closed)

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Demo of the continuous advisory vulnerability scanner in action

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

• Enable the feature flags on GDK.

  Feature.enable(:package_metadata_synchronization)
  Feature.enable(:package_metadata_advisory_sync)
  Feature.enable(:dependency_scanning_on_advisory_ingestion)

• Force sync in dev mode: export PM_SYNC_IN_DEV=true

• Sync advisories PackageMetadata::AdvisoriesSyncWorker.new.perform. The worker has a TTL of 5 mins to ensure that there is only one instance running at any given time. Unfortunately, this means that you might have to restart the worker to ensure that it syncs all available packages. You can check this by verifying the amount of NPM affected packages synced: PackageMetadata::AffectedPackage.group(:purl_type).count. The total for NPM should be around 3900.

• Set up a project with a vulnerable package. See example package.json that generates a vulnerable express component.

  {
    "name": "express-js-webapp",
    "version": "1.0.0",
    "description": "",
    "main": "index.js",
    "scripts": {
      "test": "echo \"Error: no test specified\" && exit 1"
    },
    "keywords": [],
    "author": "",
    "license": "ISC",
    "dependencies": {
      "express": "^4.17.2"
    }
  }

• Set up dependency scanning so that it doesn't upload a dependency scanning report.

  include:
    - template: Jobs/Dependency-Scanning.gitlab-ci.yml
  
  variables:
    SECURE_LOG_LEVEL: debug
  
  gemnasium-dependency_scanning:
    after_script:
      - find $CI_PROJECT_DIR -name gl-dependency-scanning-report.json -exec rm -v '{}' +
  

• Verify that the vulnerabilities for the project are empty. The following steps are in the rails console.

• Find an advisory that affects the express project: advisory = PackageMetadata::Advisory.where(advisory_xid: '3d83a0e0-db17-448c-a5f2-f3751fd07eb0').first

• Execute the scan for the advisory across all projects: PackageMetadata::AdvisoryScanService.execute(advisory)

• In your browser reload the vulnerability report and observe the newly created vulnerability.

• Re-run the scan and observe it does not create duplicates.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.

changed milestone to %16.3

added Category:Container Scanning Category:Dependency Scanning [DEPRECATED] Category:Software Composition Analysis Deliverable Enterprise Edition GitLab Ultimate SCA:Dependency Scanning WorkingGroupContinuousScanning [deprecated] Accepting merge requests backend devopssecure discoto featureenhancement groupcomposition analysis missed-deliverable missed:16.1 quad-planningcomplete-action sectionsec typefeature workflowin dev labels

assigned to @hacks4oats

changed the description

changed the description

changed target branch from master to otovar/add-create-vulnerability-service

	2 Warnings
	35aa3919: Commits that change 30 or more lines across at least 3 files should describe these changes in the commit body. For more information, take a look at our Commit message guidelines.
	featureaddition and featureenhancement merge requests normally have a documentation change. Consider adding a documentation update or confirming the documentation plan with the Technical Writer counterpart. For more information, see: The Handbook page on merge request types. The definition of done documentation.

Reviewer roulette

Changes that require review have been detected!

Please refer to the table below for assigning reviewers and maintainers suggested by Danger in the specified category:

Category	Reviewer	Maintainer
backend	Sylvester Chin (@schin1) (UTC+8, 12 hours ahead of @hacks4oats)	Madelein van Niekerk (@maddievn) (UTC+2, 6 hours ahead of @hacks4oats)

Please check reviewer's status!

• Reviewer is available!
• Reviewer is unavailable!

Feel free to override these selections if you think someone else would be better-suited or use the GitLab Review Workload Dashboard to find other available reviewers.

To read more on how to use the reviewer roulette, please take a look at the Engineering workflow and code review guidelines. Please consider assigning a reviewer or maintainer who is a domain expert in the area of the merge request.

Once you've decided who will review this merge request, assign them as a reviewer! Danger does not automatically notify them for you.

If needed, you can retry the danger-review job that generated this comment.

Generated by Danger

@hacks4oats Some end-to-end (E2E) tests should run based on the stage label.

Please start the trigger-omnibus-and-follow-up-e2e job in the qa stage and ensure tests in the follow-up-e2e:package-and-test-ee pipeline pass before this MR is merged. (E2E tests are computationally intensive and don't run automatically for every push/rebase, so we ask you to run this job manually at least once.)

To run all E2E tests, apply the pipeline:run-all-e2e label and run a new pipeline.

E2E test jobs are allowed to fail due to flakiness. See current failures at the latest pipeline triage issue.

Once done, apply the emoji on this comment.

For any questions or help, reach out on the internal #quality Slack channel.

Allure report

allure-report-publisher generated test report!

e2e-test-on-gdk: test report for 04b34a4c

expand test summary

+------------------------------------------------------------------+
|                          suites summary                          |
+-------------+--------+--------+---------+-------+-------+--------+
|             | passed | failed | skipped | flaky | total | result |
+-------------+--------+--------+---------+-------+-------+--------+
| Govern      | 33     | 0      | 1       | 0     | 34    | ✅     |
| Data Stores | 20     | 0      | 0       | 1     | 20    | ❗     |
| Create      | 38     | 0      | 0       | 0     | 38    | ✅     |
| Plan        | 51     | 0      | 0       | 0     | 51    | ✅     |
| Manage      | 12     | 0      | 1       | 0     | 13    | ✅     |
| Verify      | 8      | 0      | 0       | 0     | 8     | ✅     |
+-------------+--------+--------+---------+-------+-------+--------+
| Total       | 162    | 0      | 2       | 1     | 164   | ❗     |
+-------------+--------+--------+---------+-------+-------+--------+

added 11 commits

• bcacaa08 - 1 earlier commit
• 68b3e3c5 - Rescue only known error(s)
• d4ab556e - Remove the from_component class method
• a52d49e6 - Add CVS required attrs to Gitlab::Ci::Reports::Sbom::Component
• 7ca59671 - Add ComponentsFinder
• b14b00f5 - Rename classes
• e48efd50 - Clean up tests
• a42b82ce - Fix broken tests
• 13a2224d - Rename classes
• 0327dbc4 - Convert AffectedComponentFetcher to finder class
• b15d5da3 - [WIP] Add advisory scanner

Compare with previous version

added database databasereview pending labels

changed milestone to %16.4

added missed:16.3 label

mentioned in merge request !128941 (merged)

mentioned in issue #422717 (closed)

changed target branch from otovar/add-create-vulnerability-service to 420042-fetch-sbom-components-that-match-an-advisory

added 1009 commits

• b15d5da3...cc2cbb45 - 1008 commits from branch 420042-fetch-sbom-components-that-match-an-advisory
• 7982f81f - [WIP] Add advisory scanner

Compare with previous version

added 4 commits

• 7982f81f...c3b9a131 - 3 commits from branch 420042-fetch-sbom-components-that-match-an-advisory
• 64d53b9e - [WIP] Add advisory scanner

Compare with previous version

added 3 commits

• 64d53b9e...79c107b0 - 2 commits from branch 420042-fetch-sbom-components-that-match-an-advisory
• 62ed6ae7 - [WIP] Add advisory scanner

Compare with previous version