Container Scanning: CVS Trigger scans on Trivy DB changes
### Problem to Solve
As a Security Engineer, I want to get visibility into vulnerabilities resulting from container scanning as quickly as possible, so that I can ensure my organization addresses critical vulnerabilities in a timely manner.
Today, identifying new vulnerabilities requires users to run new jobs to rescan projects. This creates unnecessary steps and delays when users need to quickly understand whether they are impacted by a specific vulnerability. This can be especially problematic when critical zero-day vulnerabilities, such as [Log4Shell](https://en.wikipedia.org/wiki/Log4Shell) (log4j) need to be addressed.
Additionally, customers want to ensure that they are addressing critical container image-related vulnerabilities in all of their projects, whether the projects are actively being maintained or not. This currently requires customers to run scheduled scans at a predefined interval, which leads to delays in detecting new vulnerabilities and creates a pileup of issues developers and security teams will have to address.
### Intended Users
* [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/product/personas/#delaney-development-team-lead)
* [Sasha (Software Developer)](https://about.gitlab.com/handbook/product/personas/#sasha-software-developer)
* [Dakota (Application Development Director)](https://about.gitlab.com/handbook/product/personas/#dakota-application-development-director)
* [Amy (Application Security Engineer)](https://about.gitlab.com/handbook/product/personas/#amy-application-security-engineer)
* [Alex (Security Operations Engineer)](https://about.gitlab.com/handbook/product/personas/#alex-security-operations-engineer)
### User Experience Goal
For MVC, CVS for container scanning will be enabled by default (16.6). After it is enabled, users:
- will see new vulnerabilities appear in the Vulnerability Report anytime a component in their project is identified as vulnerable. This means for stale projects that haven't had container scans run recently, new vulnerabilities will appear. In other cases, new vulnerabilities will appear because new threat data has been added to the [Advisories DB](https://advisories.gitlab.com/).
- can determine (in the Vulnerability Report) whether the vulnerability was identified when the scanner initially ran, or if it appeared later, when the advisory (vulnerability) database was updated with new information.
Additional features will further enable users to more efficiently identify critical vulnerabilities that need to be remediated including:
- [Enhanced Triage Experience for Dependencies and Vulnerabilities](https://gitlab.com/groups/gitlab-org/-/epics/10091 "Enhanced triage experience for dependencies and vulnerabilities") (particularly the ability to search for specific vulnerabilities) (Q1 2024)
- [Notification emails for newly added vulnerabilities](https://gitlab.com/gitlab-org/gitlab/-/issues/370054 "Notification emails for newly added vulnerabilities") (Q2 2024)
---
## MVC Scope
This epic focuses on delivering the Minimal Viable Change to deliver Continuous Vulnerability Scans for Container Scanning. Further improvements will be addressed in https://gitlab.com/groups/gitlab-org/-/epics/10174+
### Must Have
- CVS for container scanning is opt-in for early access
- CVS for container scanning is enabled by default for all ultimate customers once GA
- When new advisory data appears in the advisory DB pertaining to a component that is included in a user's default branch, that new vulnerability appears in the user's Vulnerability Report.
- All SBOM components matching the name and in version range of the new advisories (triggered after advisory ingestion). https://gitlab.com/groups/gitlab-org/-/epics/10025
### Not in Scope
- [Email or Slack notifications](https://gitlab.com/gitlab-org/gitlab/-/issues/370054 "Notification emails for newly added vulnerabilities") when new vulnerabilities are identified
- Ability to [search and identify every project that contains a newly discovered vulnerability](https://gitlab.com/groups/gitlab-org/-/epics/10091 "Enhanced triage experience for dependencies and vulnerabilities")
- SBOM components matching a pipeline (triggered after SBOM ingestion). https://gitlab.com/groups/gitlab-org/-/epics/8026 ([included in post-MVC epic](https://gitlab.com/groups/gitlab-org/-/epics/10133 "Continuous Vulnerability Scans for DS Post MVC Follow-up"))
---
## Engineering DRI
`@hacks4oats`
## Execution Plan
1. [x] https://gitlab.com/gitlab-org/gitlab/-/issues/425995+s
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/134427+s.
2. [x] https://gitlab.com/gitlab-org/gitlab/-/issues/427095+s
Can be started independently of other issues.
1. [x] https://gitlab.com/gitlab-org/gitlab/-/issues/428681+s
Requires https://gitlab.com/gitlab-org/gitlab/-/issues/427095+s to be started first because it relies on a migration to be created for a new `sbom_source_packages` table which contains a `sbom_source_packages.name` field. This migration has now been completed as part of https://gitlab.com/gitlab-org/gitlab/-/merge_requests/140539+s, which means that https://gitlab.com/gitlab-org/gitlab/-/issues/428681+ can be worked on in parallel.
3. [x] https://gitlab.com/gitlab-org/gitlab/-/issues/427961+s
For the initial implementation, we'll only support `deb` purl types. `apk` and `rpm` will be added as follow-up issues, however, `apk` support can also be worked on at the same time as `deb` support as part of https://gitlab.com/gitlab-org/gitlab/-/issues/428703+s.
4. [x] https://gitlab.com/gitlab-org/gitlab/-/issues/427953+s
This issue is blocked by https://gitlab.com/gitlab-org/gitlab/-/issues/427961+s, however, it can be started independently and the `SemverDialects::VersionChecker.version_sat?` method call can be stubbed.
5. [x] https://gitlab.com/gitlab-org/gitlab/-/issues/429119+s
This issue is blocked by https://gitlab.com/gitlab-org/gitlab/-/issues/397550+s.
6. [x] https://gitlab.com/gitlab-org/gitlab/-/issues/425365+s
This issue is not blocked by any other issues and can be started immediately.
7. [x] https://gitlab.com/gitlab-org/gitlab/-/issues/426817+s
This issue depends on https://gitlab.com/gitlab-org/gitlab/-/issues/427953+s, however, both of these issues can be worked on in parallel.
_This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc._
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
*This page may contain information related to upcoming products, features and functionality.
It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes.
Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.*
<!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
epic