Rename CycloneDX files in gemnasium analyzers to follow specification

Proposal

Based on the File naming discussion here, we decided that in order to adhere to the Recognized file patterns in the CycloneDX specification, we should update the naming convention for CycloneDX files produced by the gemnasium analyzers and switch from cyclonedx-<package-type>-<package-manager>.json to gl-sbom-<package-type>-<package-manager>.cdx.json. The purpose of this issue is to implement that change.

Implementation plan

1. Update gemnasium

   1. Update the setOutputFilePath function to use gl-sbom-<package-type>-<package-manager>.cdx.json:

      - fileName := fmt.Sprintf("cyclonedx-%s-%s.json", sbom.PackageType, sbom.PackageManager)
      + fileName := fmt.Sprintf("gl-sbom-%s-%s.cdx.json", sbom.PackageType, sbom.PackageManager)

   2. Update the names of all the cyclonedx-*.json files in the qa/expect dir to gl-sbom-<package-type>-<package-manager>.cdx.json.

   3. Update the components[].files.path references in the following sbom-manifest.json files to use the new gl-sbom-*.cdx.json filename:

      • qa/expect/multi-project/subdirs/sbom-manifest.json
      • qa/expect/python-pip/no-pillow/sbom-manifest.json
      • qa/expect/scala-sbt/multiproject/default/sbom-manifest.json

   4. Update all the cyclonedx-*.json references in the image specs in gemnasium to use gl-sbom-<package-type>-<package-manager>.cdx.json:

      • gemnasium_image_spec.rb
      • gemnasium-maven_image_spec.rb
      • gemnasium-python_image_spec.rb

   5. Update the reference to cyclonedx-*.json in the image test job to use gl-sbom-<package-type>-<package-manager>.cdx.json:

      artifacts:
        when: always
        paths:
          - tmp/qa-*/fixtures/**/gl-dependency-scanning-report.json
      -   - tmp/qa-*/fixtures/**/cyclonedx-*.json
      +   - tmp/qa-*/fixtures/**/gl-sbom-*.cdx.json
          - tmp/qa-*/fixtures/**/sbom-manifest.json

   6. Rename the EXPECTED_CYCLONEDX_ARTIFACTS to gl-sbom-*.cdx.json in the following QA integration tests:

      • gemnasium.gitlab-ci.yml
      • gemnasium-python.gitlab-ci.yml
      • gemnasium-maven.gitlab-ci.yml

   Implemented in the following MR: Rename cyclonedx files (gitlab-org/security-products/analyzers/gemnasium!346 - merged)

2. Update all the cyclonedx-*.json references to use gl-sbom-<package-type>-<package-manager>.cdx.json in the integration-test project:

   • spec/fixtures/multi-project/subdirs/sbom-manifest.json
   • spec/expect/multi-project/subdirs/sbom-manifest.json
   • README.md

   Implemented in the following MR: Rename cyclonedx files in docs and examples (gitlab-org/security-products/analyzers/integration-test!30 - merged)

3. Update the Dependency-Scanning.gitlab-ci.yml template and the Dependency Scanning docs

   1. Update the Dependency-Scanning.gitlab-ci.yml template to use gl-sbom-*.cdx.json:

      artifacts:
        paths:
      -   - "**/cyclonedx-*.json"
      +   - "**/gl-sbom-*.cdx.json"

   2. Update the Dependency Scanning docs and replace references to cyclonedx-*.json with gl-sbom-<package-type>-<package-manager>.cdx.json.

   Implemented in the following MR: Rename cyclonedx artifact in DS template (!90870 - merged)

Risks

This is a breaking change, however, the CycloneDX Software Bill of Materials is a beta feature and "the reports are subject to change during the beta period", so we should be free to change this without worrying about impacting anyone.