Update package metadata ingestion to add sync for cargo data
Problem to solve
Since 16.11, license-db infrastructure exports cargo license data. In order to support cargo licenses in the monolith, package metadata ingestion should be updated to sync this data.
Proposal
Update the monolith to add sync for cargo
package metadata and enable this package registry type for GitLab.com
Implementation plan
-
Create migration to update the package_metadata_purl_types application setting for GitLab.com
to enable cargo Add cargo purl_type to application setting (!156072 - merged) • Igor Frenkel • 17.2 -
Update sync_config Add cargo purl_type to package_metadata sync (!155751 - merged) • Igor Frenkel • 17.1 -
Add cargo
to purl type to registry id mapping -
UpdateSyncConfiguration.advisory_configs
to filter outcargo
as a permitted purl type (cargo currently (as of %17.0) does not have an advisory source).- This turned out to be a no-op since non-matching configs are ignored.
-
Verification steps
-
Generate a cargo test project (under) which can be used to verify the presence of licenses for cargo sbom components.tests- This will be more valid for the follow up issues: Add CI/CD component for generating sboms for ca... (#466406 - closed) and Add sbom generation capability for cargo in dep... (#465107 - closed)
Edited by Igor Frenkel