Add service to match new advisory against the SBOM component corpus
Why are we doing this work
This work covers the addition of a service responsible for discovering vulnerable SBOM components, and adding vulnerabilities to the corresponding projects. This happens after a new security advisories is added to the advisory database, or when it's affected range change.
NOTE: A project might depend on multiple version of a package, so a newly ingested advisory might match multiple SBOM components of the same project.
Relevant links
Non-functional requirements
-
Documentation: Document continuous scans of SBOM components (#416075 - closed) -
Feature flag: dependency_scanning_on_advisory_ingestion
-
Performance: Check load of background workers when ingesting new advisories. -
Testing: Unit tests + verification steps
Implementation plan
Pre-requesite: Fetch SBOM components that match an advisory (#420042 - closed)
-
backend Add AdvisoryScanner
toGitlab::VulnerabilityScanning
.- For each
affected_packages
of the advisory,- Fetch batch of affected SBOM components (occurrences) using Fetch SBOM components that match an advisory (#420042 - closed).
- Filter out components that don't match the
affected_range
using #371995 (closed). Use memory cache. - Filter out components that belong to a project that doesn't have the feature enabled.
- Create vulnerabilities using
Vulnerabilities::ContinuousScan::CreateService
.
- For each
-
backend Add CreateVulnerabilityService
. This creates a single vulnerability and vulnerability for a single affected component detected in a project.- Input: project, pipeline, location, affected component, advisory.
- Build a report finding for the advisory and affected component.
- If possible, refactor to reuse
Vulnerability::FindingBuilder
. #371065 (comment 1494210128) - Convert report finding to custom finding map (w/o security finding). See #371065 (comment 1493266758)
- Ingest finding map using
Security::Ingestion::IngestReportSliceService
.
Follow-up issues
- Ingest vulnerabilities from multiple projects at once, to improve the performance. #420768 (closed)
- Auto-dismiss: Dismiss an existing vulnerability matching the advisory if the SBOM component version is no longer affected.
Verification steps
We have to temper with the advisories ingested by the backend to test this, so it can't be tested on production. However, it can be checked on production by adding affected dependencies right before ingesting the corresponding advisory from the GitLab Advisory Database.
On a staging environment,
- Set up a project supported by Dependency Scanning (DS) and with vulnerable dependencies.
- Include DS CI template, and trigger a pipeline for default branch.
- Check vulnerabilities created from report or using SBOM-based dependency scanning findings for def... (&8026 - closed).
- vulnerability report
- pipeline page
- Export a new advisory that match a project dependency. 2 options:
- Add a new vulnerability to the License DB exports (dev).
- Prepare a NDJSON export file, and use instructions to sync offline instances.
- Wait for the ingestion of the new advisory.
- Check vulnerabilities created during the ingestion.
- vulnerability report
- pipeline page
- MR widget if it uses security findings; see Use security_findings for security MR widget re... (#390185)
🤖
Auto-Summary Discoto Usage
Points
Discussion points are declared by headings, list items, and single lines that start with the text (case-insensitive)
point:
. For example, the following are all valid points:
#### POINT: This is a point
* point: This is a point
+ Point: This is a point
- pOINT: This is a point
point: This is a **point**
Note that any markdown used in the point text will also be propagated into the topic summaries.
Topics
Topics can be stand-alone and contained within an issuable (epic, issue, MR), or can be inline.
Inline topics are defined by creating a new thread (discussion) where the first line of the first comment is a heading that starts with (case-insensitive)
topic:
. For example, the following are all valid topics:
# Topic: Inline discussion topic 1
## TOPIC: **{+A Green, bolded topic+}**
### tOpIc: Another topic
Quick Actions
Action Description /discuss sub-topic TITLE
Create an issue for a sub-topic. Does not work in epics /discuss link ISSUABLE-LINK
Link an issuable as a child of this discussion
Last updated by this job
-
TOPIC Reuse of the FindingBuilder
⚠ #371065 (comment 1483236612) -
TOPIC Upsert batches of vulnerability findings
⚠ #371065 (comment 1491418051) -
TOPIC Upsert vulnerabilities
✅ #371065 (comment 1492243381) -
TOPIC IngestReportSliceService and custom finding map
✅ #371065 (comment 1493266758) - TOPIC Potential deadlocks when ingesting vulnerabilities #371065 (comment 1495943793)
Discoto Settings
---
summary:
max_items: -1
sort_by: created
sort_direction: ascending
See the settings schema for details.