Add worker to scan newly ingested advisories
Why are we doing this work
After a new advisory is ingested, it needs to be matched against the SBOM component corpus in order to find vulnerable components.
This issue covers the follwing:
- Publish an EventStore event on ingestion.
- React to that event by trigger a new scan worker.
- Execute the scan service from that worker.
An advisory is ingested after being added to the advisory database, or after being updated. The scan worker and underlying scan service shouldn't assume that the advisory being processed is a new one.
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: dependency_scanning_on_advisory_ingestion
-
Performance: -
Testing:
Implementation plan
Tasks are all backend:
- Add an EventStore event to publish newly ingested advisories (following https://docs.gitlab.com/ee/development/event_store.html).
- Add event for newly ingested advisories.
-
PackageMetadata::IngestedAdvisoryEvent
toapp/events/package_metadata/
- Event is an object with required
int
advisory_id
.
-
- Add event subscriber.
- Add
PackageMetadata::AdvisoryScanWorker
under https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/workers/package_metadata.- Includes
Gitlab::EventStore::Subscriber
. - Implements
handle_event
. - Hydrates
PackageMetadata::Advisory
usingevent.advisory_id
. - Executes the scanning service implemented in Add service to match new advisory against the S... (#371065 - closed) with
advisory
as argument.
- Includes
- Add
- Register subscriber.
- Add
store.subscribe ::PackageMetadata::AdvisoryScanWorker, to: ::PackageMetadata::IngestedAdvisoryEvent
to https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/event_store.rb.
- Add
- Emit event on ingestion (this requires more code change and more testing so should probably be a separate MR).
- Update
PackageMetadata::Ingestion::Advisory::AdvisoryIngestionTask
to return ingestedadvisory_ids
by returning the data stored in@advisory_map
https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/services/package_metadata/ingestion/advisory/ingestion_service.rb#L25 - After ingestion
PackageMetadata::SyncService
emits one event for each advisory id. - Add feature flag
package_metadata_advisory_scans
to emit event when enabled.
- Update
- Add event for newly ingested advisories.
Verification steps
Edited by Fabien Catteau