Add AutoDismissWorker to trigger based on VulnerabilitiesCreatedEvent
What does this MR do and why?
Add AutoDismissWorker with conditional event subscription.
- Extend
Sbom::VulnerabilitiesCreatedEventschema to include optionalpipeline_id -
pipeline_idis used inAutoDismissServiceto generate an activity comment with the link to the pipeline where the vulnerability was dismissed: !214068 (diffs) - Update the publisher to include
pipeline_idfor findings - Add
AutoDismissWorkerto trigger policy auto-dismissal for created vulnerabilities
Executing auto-dismissal based on this event should take care of dismissing vulnerabilities created by:
Sbom::CreateVulnerabilitiesServiceGitlab::VulnerabilityScanning::AdvisoryScanner
For vulnerabilities created from Security::Ingestion::IngestReportsService, we will need to add another step there directly in the service, as there's no event published. This follows the same pattern as auto_resolve, which is called via MarkAsResolvedService here.
References
Screenshots or screen recordings
How to set up and validate locally
-
Apply changes from !214986 (merged) to include the store subscription
-
In rails console enable the feature flag
Feature.enable(:auto_dismiss_vulnerability_policies) -
Create a project
-
Create an auto-dismiss policy:
vulnerability_management_policy: - name: Auto-dismiss test vulnerabilities description: Automatically dismiss vulnerabilities in test directories enabled: true rules: - type: detected criteria: - type: file_path value: spec/**/*_spec.rb - type: detected criteria: - type: identifier value: CVE-2022-32224 actions: - type: auto_dismiss dismissal_reason: used_in_tests -
Add
.gitlab-ci.ymlwith secret detectioninclude: - template: Jobs/Dependency-Scanning.v2.gitlab-ci.yml -
Add
Gemfile.lockin themainbranch:Gemfile.lock
GEM remote: https://rubygems.org/ specs: actioncable (7.0.0) actionpack (= 7.0.0) activesupport (= 7.0.0) nio4r (~> 2.0) websocket-driver (>= 0.6.1) actionmailbox (7.0.0) actionpack (= 7.0.0) activejob (= 7.0.0) activerecord (= 7.0.0) activestorage (= 7.0.0) activesupport (= 7.0.0) mail (>= 2.7.1) actionmailer (7.0.0) actionpack (= 7.0.0) actionview (= 7.0.0) activejob (= 7.0.0) activesupport (= 7.0.0) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 2.0) actionpack (7.0.0) actionview (= 7.0.0) activesupport (= 7.0.0) rack (~> 2.0, >= 2.2.0) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.2.0) actiontext (7.0.0) actionpack (= 7.0.0) activerecord (= 7.0.0) activestorage (= 7.0.0) activesupport (= 7.0.0) globalid (>= 0.6.0) nokogiri (>= 1.8.5) actionview (7.0.0) activesupport (= 7.0.0) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.1, >= 1.2.0) activejob (7.0.0) activesupport (= 7.0.0) globalid (>= 0.3.6) activemodel (7.0.0) activesupport (= 7.0.0) activerecord (7.0.0) activemodel (= 7.0.0) activesupport (= 7.0.0) activestorage (7.0.0) actionpack (= 7.0.0) activejob (= 7.0.0) activerecord (= 7.0.0) activesupport (= 7.0.0) marcel (~> 1.0) mini_mime (>= 1.1.0) activesupport (7.0.0) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 1.6, < 2) minitest (>= 5.1) tzinfo (~> 2.0) base64 (0.3.0) builder (3.3.0) concurrent-ruby (1.3.5) crass (1.0.6) date (3.4.1) erubi (1.13.1) globalid (1.3.0) activesupport (>= 6.1) i18n (1.14.7) concurrent-ruby (~> 1.0) loofah (2.24.1) crass (~> 1.0.2) nokogiri (>= 1.12.0) mail (2.8.1) mini_mime (>= 0.1.1) net-imap net-pop net-smtp marcel (1.1.0) method_source (1.1.0) mini_mime (1.1.5) minitest (5.26.0) net-imap (0.5.12) date net-protocol net-pop (0.1.2) net-protocol net-protocol (0.2.2) timeout net-smtp (0.5.1) net-protocol nio4r (2.7.4) nokogiri (1.18.10-aarch64-linux-gnu) racc (~> 1.4) nokogiri (1.18.10-aarch64-linux-musl) racc (~> 1.4) nokogiri (1.18.10-arm-linux-gnu) racc (~> 1.4) nokogiri (1.18.10-arm-linux-musl) racc (~> 1.4) nokogiri (1.18.10-arm64-darwin) racc (~> 1.4) nokogiri (1.18.10-x86_64-darwin) racc (~> 1.4) nokogiri (1.18.10-x86_64-linux-gnu) racc (~> 1.4) nokogiri (1.18.10-x86_64-linux-musl) racc (~> 1.4) racc (1.8.1) rack (2.2.20) rack-test (2.2.0) rack (>= 1.3) rails (7.0.0) actioncable (= 7.0.0) actionmailbox (= 7.0.0) actionmailer (= 7.0.0) actionpack (= 7.0.0) actiontext (= 7.0.0) actionview (= 7.0.0) activejob (= 7.0.0) activemodel (= 7.0.0) activerecord (= 7.0.0) activestorage (= 7.0.0) activesupport (= 7.0.0) bundler (>= 1.15.0) railties (= 7.0.0) rails-dom-testing (2.3.0) activesupport (>= 5.0.0) minitest nokogiri (>= 1.6) rails-html-sanitizer (1.6.2) loofah (~> 2.21) nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0) railties (7.0.0) actionpack (= 7.0.0) activesupport (= 7.0.0) method_source rake (>= 12.2) thor (~> 1.0) zeitwerk (~> 2.5) rake (13.3.0) thor (1.4.0) timeout (0.4.3) tzinfo (2.0.6) concurrent-ruby (~> 1.0) websocket-driver (0.8.0) base64 websocket-extensions (>= 0.1.0) websocket-extensions (0.1.5) zeitwerk (2.7.3) PLATFORMS aarch64-linux-gnu aarch64-linux-musl arm-linux-gnu arm-linux-musl arm64-darwin x86_64-darwin x86_64-linux-gnu x86_64-linux-musl DEPENDENCIES rails (= 7.0.0) BUNDLED WITH 2.7.1 -
Wait until the pipeline on
mainfinishes -
Open the
Vulnerability Report, remove the default state filter and verify that the secret fromGemfile.lockgot dismissed and there is an activity comment stating the details.
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #581377
Edited by Martin Cavoj