Add service and worker to destroy expired SbomScan models
Overall goal
This is a new approach to our Dependency Scanning feature that reuses the GitLab Sbom Vulnerability Scanner developed in the rails platform for scanning SBOM files generated in a CI job. This allows GitLab to centralize the Dependency Scanning feature on a single scanning engine for various scanning contexts. Please see the epic Bring security scan results back into the Depen... (&17150) for more details.
This MR is part of a stacked diff:
- Introduce SbomScan model and Uploader for DS using SBOM (!195058 (merged))
- Add services to create and process SbomScan models (!195059 (merged))
-
➡️ Add service and worker to destroy expired SbomScan models (!195061 (merged)) - Add Sbom Scan API endpoints with direct-upload support (!195062 (merged))
Thus, the complete implementation with all code changes is available in the last MR (!195062 (merged)).
Notes:
- This feature will be released behind the feature flag
dependency_scanning_sbom_scan_apiincluded in the last MR (with the "user facing" API). - These SBOM scans are only meant to be ephemeral and thus they don't interact with the Vulnerability Management system.
Video recordings
- Introduction and workflow: https://youtu.be/kjlzwhLKZxQ
- MRs walkthrough: https://youtu.be/vFLvOUZOMxA
What does this MR do and why?
This MR introduces the service and worker to handle the deletion of SbomScan records and the associated files on storage. These records are indeed ephemeral and only necessary to support the asynchronous workflow. Once the scan results are downloaded by the client (analyzer running in a CI job) they are no longer relevant to keep. The current TTL is set to 2 days, to help with debuging. Though this could be further debated and possibly lowered. Please see the details in the issue describing the choices for the sidekiq worker attributes.
References
- Issue: Add an API for on-demand Dependency Scanning us... (#542831 - closed)
- Epic: Bring security scan results back into the Depen... (&17150)
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
This MR only contains a subset of the code changes required for the feature. Please use the last MR of the stacked diff (!195062 (merged)) to test the feature.
This particular MR's changes can be tested in isolation by checking out the branch, running the DB migration (if not already done with the first MR of the stacked diff (!195058 (merged)) and running the tests:
git checkout ogonzalez-Add-DS-Sbom-Scan-API-47c97932
bin/rails db:migrate:up:main RAILS_ENV=development --trace
ee/spec/models/security/vulnerability_scanning/sbom_scan_spec.rb ee/spec/services/security/vulnerability_scanning/destroy_sbom_scans_service_spec.rb ee/spec/workers/security/vulnerability_scanning/destroy_expired_sbom_scans_worker_spec.rb spec/workers/every_sidekiq_worker_spec.rbMR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.