Store Container Scanning image and operating system in sbom_sources table
Proposal
When parsing Dependency Scanning SBOM files, we extract additional details from the metadata.properties
section using the Gitlab::Ci::Parsers::Sbom::Source::DependencyScanning class.
For example, we extract the gitlab:dependency_scanning:input_file:path
and gitlab:dependency_scanning:package_manager:name
values from the following JSON:
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:8d0184df-02ba-4e44-9fe0-981669bc13e4",
"version": 1,
"metadata": {
"timestamp": "2023-08-10T15:10:20Z",
"properties": [
{
"name": "gitlab:dependency_scanning:input_file:path",
"value": "conan.lock"
},
{
"name": "gitlab:dependency_scanning:package_manager:name",
"value": "conan"
},
And store it in the sbom_sources
table:
id | created_at | updated_at | source_type | source
-----+-------------------------------+-------------------------------+-------------+-------------------------------------------------------------------------------------------------
292 | 2023-08-04 19:11:45.952074+00 | 2023-08-07 20:57:22.575588+00 | 0 | {"input_file": {"path": "conan.lock"}, "package_manager": {"name": "conan"}}
For Container Scanning SBOM files, we need to figure out how to store additional information as well, such as the image
and operating_system
that were used to generate the SBOM.
Implementation Plan
Note: Add taxonomy for Container Scanning namespace (#426355 - closed) and Output GitLab metadata properties in Container ... (#426356 - closed) must be completed before this issue.
-
Add a new Gitlab::Ci::Parsers::Sbom::Source::ContainerScanning
class, similar to Gitlab::Ci::Parsers::Sbom::Source::DependencyScanning.This class is responsible for storing the
metadata.properties
added by Output GitLab metadata properties in Container ... (#426356 - closed) to thesbom_sources
table:gitlab:container_scanning:image:name
gitlab:container_scanning:image:tag
gitlab:container_scanning:operating_system:name
gitlab:container_scanning:operating_system:version
-
Update the sbom_source.json schema to accept the new gitlab:container_scanning
properties added in step1.
above. -
Add unit tests to ensure the above details are stored in the sbom_sources
table.