UNCLASSIFIED - NO CUI

Skip to content

Add manifest-cyber-upload job

Matthew Scott requested to merge 2090-manifest-cyber into master

Description

Addresses Issue #2090

Added new manifest-cyber-upload job to 4-findings stage.

This job takes the CycloneDX SBOM outputted from the anchore-scan job and uploads it to Manifest Cyber for analysis. The job outputs a vulnerability report in JSON format.

New CICD vars:
ENABLE_MANIFEST_CYBER - toggle for the job
MANIFEST_CYBER_TOKEN - API token for interacting with Manifest Cyber.

Multiple Manifest Cyber API routes are used to retrieve all data for a particular vulnerability. This can probably be refactored once Manifest Cyber releases the /dependency/stackByVulnerability?assetId=your-asset-id&cveId=all endpoint (it's currently in pre-release and unavailable to the public).

Sample Manifest Cyber Vulnerability report

Risk

Minimal risk. The manifest-cyber-upload job is allowed to fail in the pipeline and only runs when enabled by ENABLE_MANIFEST_CYBER.

Rollback Plan

Disable the manifest-cyber-upload job by setting ENABLE_MANIFEST_CYBER env var to an empty string.

Testing

Mario UBI 8 Zelda UBI 9 Zelda Trigger

Edited by Matthew Scott

Merge request reports

Loading