Ingest source_package_name as source_package (!142008) · Merge requests · GitLab.org / GitLab

Tetiana Chupryna requested to merge 427095-ingest-source-package-name-v3 into master Jan 17, 2024

What does this MR do and why?

Ingest of source_package_name field from Container scanning Trivy report. We need this to properly match container scanning finding of Trivy scanner with vulnerability occurrences.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before	After

How to set up and validate locally

Create a project with next content:

.gitlab-ci.yml

variables:
  CS_IMAGE: 'golang:1.20-alpine'

include:
  - template: Jobs/Container-Scanning.gitlab-ci.yml

Run a pipeline and make sure that container_scanning:cyclonedx report is created

GDK

in Rails console run:

Sbom::SourcePackage.all
Sbom::Occurrence.all

And make sure that the SourcePackage has entries and Occurrence entries related to alpine packages have source_package_id filled in.

Related to #427095 (closed)

Edited Jan 19, 2024 by Tetiana Chupryna

Ingest source_package_name as source_package

What does this MR do and why?

MR acceptance checklist

Screenshots or screen recordings

How to set up and validate locally

GDK

Merge request reports