Create artifact report type for SBOM files
Why are we doing this work
1 - Update gemnasium to output CycloneDX SBOMs (#350509 - closed) added support for outputting cyclonedx-<package-type>-<package-manager>.json
. These cyclonedx-<package-type>-<package-manager>.json
files are output automatically when including the Dependency-Scanning.gitlab-ci.yml
template, as implemented in Add CycloneDX reports to DS template (!80693 - merged).
The purpose of this issue is to create a new Artifact report for these CycloneDX SBOM files, using a structure similar to artifacts:reports:coverage_report, for example:
artifacts:
reports:
sbom:
format: cyclonedx
paths:
- gl-sbom-*.cdx.json
Relevant link
This is part of a wider epic to add SBOM ingestion: &8024 (closed)
Non-functional requirements
-
Documentation: tbd -
Feature flag: tbd -
Performance: tbd -
Testing: tbd
Proposal
Add an sbom
report type so that sbom artifacts can be saved to the database and processed by a background worker.
Implementation Plan
-
(weight: 3) backend Update the following components to add an sbom
report type -
(weight: 3) update CI reports to add an sbom:format
keyword (using coverage_report:coverage_format MR as a guide)-
(weight: 3) backend add Gitlab::Ci::Config::Entry::Reports::Sbom
to https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/config/entry/reports specifying theformat
andpath
keys
-
-
(weight: 2) documentation update report types documentation to add sbom
https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html -
(weight: 2) backend update json schema to include validation for the new report type
Edited by Igor Frenkel