Skip to content

Add vulnerability type container_scanning_for_registry

Aditya Tiwari requested to merge 443821-set-report-type-to-registry into master

What does this MR do and why?

  1. Add vulnerability.report_type to container_scanning_for_registry with sbom ingestion.
  2. Update Graphql projectVulnerabilities and vulnerabilitySeveritiesCount to support container_scanning_for_registry report type.

The new report type container_scanning_for_registry is now created to specifically identify vulnerabilities generated by the CS job triggered during a registry push event.

More info in epic.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Create a project with the following sbom

    gl-sbom-report.cdx__4_.json

  2. Create project with following yml

    stages:
- build

manual-sbom-upload:
  stage: build
  script:
    - echo "hello, world!"
  artifacts:
    paths:
      - "**/gl-sbom-*.cdx.json"
    reports:
      cyclonedx: "**/gl-sbom-*.cdx.json"

  3. Verify that db records are created as per the requirements.

  4. Run advisory scanner and report parser.

    1. Sample code
Click to expand 
pipeline = Ci::Pipeline.last

path = "/Users/work/gitlab-development-kit/gitlab/shared/artifacts/59/e1/59e19706d51d39f66711c2653cd7eb1291c94d9b55eb14bda74ce4dc636d015a/2024_03_28/2397/1588/gl-sbom.cdx.json"
parsed_data = JSON.parse(File.read(path))

report = Gitlab::Ci::Reports::Sbom::Report.new
Gitlab::Ci::Parsers::Sbom::Cyclonedx.new.parse!(parsed_data.to_json, report)

vulnerabilities_info = Sbom::Ingestion::Vulnerabilities.new(pipeline)

Sbom::Ingestion::IngestReportService.execute(pipeline, report, vulnerabilities_info)


For creating vuln 

occurrence = Sbom::Occurrence.last
affected_components = [Gitlab::VulnerabilityScanning::PossiblyAffectedComponent
.from_sbom_occurrence(occurrence)]

advisory = FactoryBot.build(:vs_advisory)


response = ::Security::VulnerabilityScanning::CreateVulnerabilityService.execute(
advisory: advisory, affected_components: affected_components)
  1. Verify that the vulnerabilities are created with report_type: CONTAINER_SCANNING_FOR_REGISTRY
  2. Go to graphql explorer and run projectVulnerabilities and vulnerabilitySeveritiesCount with report type CONTAINER_SCANNING_FOR_REGISTRY

Related to #443821 (closed) and #443824 (closed)

Edited by Aditya Tiwari

Merge request reports