Add vulnerability type container_scanning_for_registry
What does this MR do and why?
- Add
vulnerability.report_type
tocontainer_scanning_for_registry
with sbom ingestion. - Update Graphql
projectVulnerabilities
andvulnerabilitySeveritiesCount
to supportcontainer_scanning_for_registry
report type.
The new report type container_scanning_for_registry
is now created to specifically identify vulnerabilities generated by the CS job triggered during a registry push event.
More info in epic.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
-
Create a project with the following sbom
-
Create project with following yml
stages: - build manual-sbom-upload: stage: build script: - echo "hello, world!" artifacts: paths: - "**/gl-sbom-*.cdx.json" reports: cyclonedx: "**/gl-sbom-*.cdx.json"
-
Verify that db records are created as per the requirements.
-
Run advisory scanner and report parser.
- Sample code
Click to expand
pipeline = Ci::Pipeline.last
path = "/Users/work/gitlab-development-kit/gitlab/shared/artifacts/59/e1/59e19706d51d39f66711c2653cd7eb1291c94d9b55eb14bda74ce4dc636d015a/2024_03_28/2397/1588/gl-sbom.cdx.json"
parsed_data = JSON.parse(File.read(path))
report = Gitlab::Ci::Reports::Sbom::Report.new
Gitlab::Ci::Parsers::Sbom::Cyclonedx.new.parse!(parsed_data.to_json, report)
vulnerabilities_info = Sbom::Ingestion::Vulnerabilities.new(pipeline)
Sbom::Ingestion::IngestReportService.execute(pipeline, report, vulnerabilities_info)
For creating vuln
occurrence = Sbom::Occurrence.last
affected_components = [Gitlab::VulnerabilityScanning::PossiblyAffectedComponent
.from_sbom_occurrence(occurrence)]
advisory = FactoryBot.build(:vs_advisory)
response = ::Security::VulnerabilityScanning::CreateVulnerabilityService.execute(
advisory: advisory, affected_components: affected_components)
- Verify that the vulnerabilities are created with report_type: CONTAINER_SCANNING_FOR_REGISTRY
- Go to graphql explorer and run projectVulnerabilities and vulnerabilitySeveritiesCount with report type CONTAINER_SCANNING_FOR_REGISTRY
Related to #443821 (closed) and #443824 (closed)
Edited by Aditya Tiwari