Add finding builder for Container Scanning
What does this MR do and why?
Build security report findings for sboms generated during a pipeline run.
A similar builder already exists for dependency scanning: https://gitlab.com/gitlab-org/gitlab/-/blob/85e965269aae8e8d01c0ccd0c86df1e47ebaed9f/ee/lib/gitlab/vulnerability_scanning/dependency_scanning/finding_builder.rb
The builders are created in Gitlab::VulnerabilityScanning::ContainerScanning::FindingBuilder which is in turn called from Gitlab::VulnerabilityScanning::SecurityReportBuilder to build a security report with a set of findings based entirely on a pipeline's sbom artifacts.
How to set up and validate locally
Local validation is not useful in this case. This is because the Gitlab::VulnerabilityScanning::ContainerScanning::FindingBuilder
introduced in this MR is invoked by the Gitlab::VulnerabilityScanning::SecurityReportBuilder
with a list of Gitlab::VulnerabilityScanning::AffectedComponents
: https://gitlab.com/gitlab-org/gitlab/-/blob/ffb47d3cfbb3e3c9f765dbf12f79d344acea2527/ee/lib/gitlab/vulnerability_scanning/security_report_builder.rb#L27
But affected components are added in Match Container Scanning SBOM components agains... (#426817 - closed) • Aditya Tiwari • 16.9 • On track (which is blocked by this MR).
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #425365 (closed)
Fixes #431941 (closed)