Resolve Starboard vulnerabilities after scan

We want to implement Cluster image scanning vulnerability resolution.

• The Create Starboard vulnerability internal API endpoint now responds with the newly created vulnerability finding UUID.
• The Agent collects these UUIDs.
• After having created all vulnerabilities, it sends all collected UUIDs to the new Resolve Starboard vulnerabilities internal API endpoint.

We want to implement Cluster image scanning vulnerability resolution.

• The Create Starboard vulnerability internal API endpoint now responds with the newly created vulnerability finding UUID.
• The Agent collects these UUIDs.
• After having created all vulnerabilities, it sends all collected UUIDs to the new Resolve Starboard vulnerabilities internal API endpoint.

How to set up and validate locally

1. Create a fresh project and commit an agent configuration:

# .gitlab/agents/gke/config.yaml
starboard:
  vulnerability_report:
    filters:
    - namespaces:
      - test-namespace

2. I tunneled my local KAS with ngrok.io, other tunnels work just as well, if there's no connectivity between cluster and KAS.

3. Register an agent to the project and deploy it. Then patch the Deployment's image and --kas-address:

@@ -37,7 +37,7 @@ spec
       - args:
         - --token-file=/config/token
         - --kas-address
-        - grpc://127.0.0.1:8150
+        - grpc://8.tcp.ngrok.io:11439
         env:
         - name: POD_NAMESPACE
           valueFrom:
@@ -49,7 +49,7 @@ spec:
             fieldRef:
               apiVersion: v1
               fieldPath: metadata.name
-        image: registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/agentk:stable
+        image: registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/agentk:3bc5634
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 3

4. Apply the vulnerabilityreports CRD (unless Starboard is already installed in the cluster):

kubectl apply -f https://raw.githubusercontent.com/aquasecurity/starboard/main/deploy/crd/vulnerabilityreports.crd.yaml

5. Apply a vulnerabilityreport that contains one vulnerability and, in a Rails console, confirm the vulnerability exists in detected state:

kubectl apply -f https://gitlab.com/-/snippets/2254927/raw/main/test-report-1.yaml

pry(main)> Project.last.vulnerabilities.pluck(:state)
=> ["detected"]

6. Apply another vulnerabilityreport that contains one additional vulnerability:

kubectl apply -f https://gitlab.com/-/snippets/2254927/raw/main/test-report-2.yaml

pry(main)> Project.last.vulnerabilities.reload.pluck(:state)
=> ["detected", "detected"]

7. Apply another vulnerabilityreport that does not contain the first vulnerability:

kubectl apply -f https://gitlab.com/-/snippets/2254927/raw/main/test-report-3.yaml

Project.last.vulnerabilities.reload.pluck(:state)
=> ["resolved", "detected"]