Upload SBOMs/CSAF files flow

[carlosthe19916]

We currently have a way of importing files using the importer e.g. https://github.com/trustification/trustify/blob/main/importer/src/csaf/mod.rs#L47

What are your thoughts in regards of importing data through a REST Endpoint? What would be the flow? e.g.

• File is uploaded => processed => ingested into the DB. All in one single step (thread+request)?
• OR are we going to follow the other approach we applied in trustification: File is uploaded => file stored into s3 => some event is fired => file is ingested

I know my description above is quite vague, but I'd just like to understand where we stand in regards of the Upload Flow. I'm asking because I'm interested in giving the creation of the "advisories" rest endpoints a try and "uploading" them is one of them.

[ctron]

We do have the importers right now. They directly write into the database, using an existing Rust "service" style functionally.

I think it would make sense to have a "single file upload" as well, going through some kind of HTTP based API.

I also think that, long term, we should internalize the importer, and have them managed through the core system. Having the configuration and state reflected in the database too. Exposing their state on the UI.

[bobmcwhirter]

In my mind, I'd ideally like the "eat my SBOM" to be an atomic blocking operation. Avoid async queue'ing and delays.

So...

1. Upload file
2. ..something spins while it's being chewed on
3. after chewing, it gets sent to cold-storage $somewhere (S3? Filesystem? git repo?)
4. Immediately reflected in any UI operations performed after upload is complete.