Fetch SBOM components that match an advisory
Why are we doing this work
In order to add vulnerabilities for a newly ingested advisory, we need to fetch all the SBOM components that match that advisory, in all projects.
Further details
- Join
Sbom::Occurrence
andSbom::Component
to select all SBOM components that match a PURL type and package name. - Also join
Sbom::ComponentVersion
to get theversion
, and match it against the affected range. - Also join
Sbom::Source
to extract the input file from thesource
. SeeDependencyScanning::FindingBuilder
. - Return all the information needed to filter and create the vulnerability finding:
project
,pipeline
,input_file
,purl_type
,package_name
, andversion
.
NOTE: A project might depend on multiple version of a package, so a newly ingested advisory might match multiple SBOM components of the same project.
Relevant links
Non-functional requirements
- [-]
Documentation - [-]
Feature flag -
Performance: -
Testing: add specs
Implementation plan
Add fetcher class. TBD.
Verification steps
-
Verified as part of Add service to match new advisory against the S... (#371065 - closed). -
Verified here.
-
Edited by Adam Cohen