Skip to content

Call MarkAsResolvedService after an SBOM security scan

Olivier Gonzalezrequested to merge
ogonzalez-resolve-vulnerabilities-102c3369 into master

What does this MR do and why?

Ensure that the previously created vulnerabilities are marked as no longer detected if the last SBOM scan did not report them.

This service was only called in the generic Security Reports ingestion system. Though, the new SBOM based scanning approach for our Category:Software Composition Analysis Category:Container Scanning features no longer rely on these artifacts to report vulnerabilities.

Instead, the Sbom::CreateVulnerabilitiesService is responsible for generating findings and must mimic the behavior of the generic process. This includes executing some post ingestion tasks like marking no longer detected vulnerabilities on the default branch.

A single pipeline can contain multiple SBOM reports and of various source type. We must call the MarkAsResolvedService for each report type separately to avoid marking vulnerabilities as no longer detected inadvertently.

See the stacked diff MRs (created with the GitLab CLI):

  1. Return ids of created vulnerabilities with SBOM... (!179115 - merged) • Olivier Gonzalez • 17.9
  2. Allow MarkAsResolvedService to scope by report ... (!179117 - merged) • Olivier Gonzalez • 17.9
  3. ➡️ Call MarkAsResolvedService after an SBOM securi... (!179119 - merged) • Olivier Gonzalez, Oscar Tovar • 17.9

This MR introduces the mark_resolved_vulnerabilities_with_sbom_scans Feature Flag (gitlab_com_derisk type). The rollout issue is: [Feature flag] Rollout of `mark_resolved_vulner... (#515627 - closed) • Olivier Gonzalez, Oscar Tovar • 17.10 • At risk

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Demo:

How to set up and validate locally

  1. Enable the sbom scanning feature flag. 
    Feature.enable(:dependency_scanning_for_pipelines_with_cyclonedx_reports)
  2. Clone https://gitlab.com/gitlab-org/secure/tests/olivier/mark-vulnerabilities-resolved-sbom-scan on your GDK
  3. Enable the mark_resolved_vulnerabilities_with_sbom_scans feature flag using the rails console ('gdk rails c') 
    Feature.enable(:mark_resolved_vulnerabilities_with_sbom_scans, Project.last)
  4. Run a pipeline on the default branch
  5. Check the vulnerability is reported on the vulnerability report
  6. Update the .gitlab-ci.yml file to point the artifact to the fixed sbom file and commmit/push to the default branch: 
    sbom:
  script: echo "foo"
  artifacts:
    reports:
--      cyclonedx: "vulnerable-sbom.json"
++      cyclonedx: "fixed-sbom.json"
  7. Wait for the new pipeline to run (must be on the default branch) and confirm the vulnerability is marked as no longer detect on the vulnerability report.
Edited by Oscar Tovar

Merge request reports