Add support for security findings into pipeline security tab
Why are we doing this work
There is a need for displaying sbom-based security findings on the pipeline security tab.
Different from Update MR widget to consider sbom based securit... (#490333) • Oscar Tovar • Backlog, this one would require sbom related security findings to be fetched as part of the findings_finder, which implies that Security::Finding
would be persisted. Therefore, the ingestion might require changes around store_grouped_scans_service and store_scans_service in order to have sbom report data ingested. Another possible approach is to have the sbom data loaded as security report and reuse the whole of the ingestion flow as is.
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
PoC)
Potential solution (Based on thisThe implementation for this issue will probably fit between somewhere between adding cyclonedx
100% into the security reports logic (from parser, job artifacts and etc..) and replicating everything that is done for security reports for sbom reports.
This PoC falls somewhere in the middle as it updates some of the existing ingestion logic to include cyclonedx reports, the two existing related graphql endpoints and their respective frontend code.
Implementation plan
MR 1: Update security_report_builder
to gather vulnerabilities for affected packages
- See diff for concept.
MR 2: Trigger vulnerability creation on SBOM ingestion when FF is enabled.
- Add FF
dependency_scanning_for_pipelines_with_cyclonedx_reports
- Update the
#security_reports
scope to includecyclonedx
in the allowed file types when the FF is enabled. - Update the
#security_report
method so that it convertscyclonedx
reports to a security report using the updatedsecurity_report_builder
. - Update the security report file types
- Update the GraphQL types and the related constants.
Verification steps
- Enable the FF for project/group
- Run a job in an MR that uploads a CycloneDX report.
- The report must have components that have a corresponding vulnerability in the PMDB.
- Navigate to the Security tab for the pipeline, and verify that the vulnerabilities for CVS are displayed.
- In a separate project with the FF disabled, run a job in an MR that uploads the same CycloneDX report as before.
- Navigate to the Security tab for the pipeline, and verify that the vulnerabilities for CVS are not displayed.