Skip to content

Add finding builder for Container Scanning

What does this MR do and why?

Build security report findings for sboms generated during a pipeline run.

A similar builder already exists for dependency scanning: https://gitlab.com/gitlab-org/gitlab/-/blob/85e965269aae8e8d01c0ccd0c86df1e47ebaed9f/ee/lib/gitlab/vulnerability_scanning/dependency_scanning/finding_builder.rb

The builders are created in Gitlab::VulnerabilityScanning::ContainerScanning::FindingBuilder which is in turn called from Gitlab::VulnerabilityScanning::SecurityReportBuilder to build a security report with a set of findings based entirely on a pipeline's sbom artifacts.

How to set up and validate locally

Local validation is not useful in this case. This is because the Gitlab::VulnerabilityScanning::ContainerScanning::FindingBuilder introduced in this MR is invoked by the Gitlab::VulnerabilityScanning::SecurityReportBuilder with a list of Gitlab::VulnerabilityScanning::AffectedComponents: https://gitlab.com/gitlab-org/gitlab/-/blob/ffb47d3cfbb3e3c9f765dbf12f79d344acea2527/ee/lib/gitlab/vulnerability_scanning/security_report_builder.rb#L27

But affected components are added in Match Container Scanning SBOM components agains... (#426817 - closed) • Aditya Tiwari • 16.9 • On track (which is blocked by this MR).

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #425365 (closed)

Fixes #431941 (closed)

Edited by Oscar Tovar

Merge request reports

Loading