Show SBOM ingestion errors on the security tab of the pipeline page
Why are we doing this work
With #364709 (closed), we added the ability for GitLab to ingest CycloneDX SBoMs. Currently, SBoMs are validated and the warnings + errors from schema validation are collected, but there is no way to show those errors to the end user.
In the context of security features, the SBOM data is currently only relevant for Dependency Scanning security scans, and only for Continuous Vulnerability Scans (default branch only). This IMO reduces the value of displaying the parsing error in the pipeline security tab today and make this item the least in terms of priority. This will be a more relevant need when SBOM-based dependency scanning findings for def... (&8026 - closed) will be completed though, but that will still be only relevant for pipelines on the default branch. That said, the implementation is likely to be the same as for Show SBOM ingestion errors on the licenses tab ... (#471321 - closed) so it will be pretty cheap to add this.
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
Implementation plan
- BE (might already be done with #471317 (closed)): Store the ingestion errors for each pipeline in redis ( 1 redis key:value per pipeline) with a TTL of 30 days (to be adjusted if necessary). NB: we could go with storing errors only for the most recent pipeline for the purpose of this issue, but other needs will require to have it per pipeline so we're going with that. This logic can be added to the IngestReportsService like the
set_latest_ingested_sbom_pipeline_idmethod call. - BE: expose the latest sbom pipline's
has_errorsboolean value in the pipeline security tab setup data (pipeline_helper.rb) - FE: load the errors in the vueJS state for the pipeline security tab and trigger the display of the error messages if any
- FE: reuse dedicated component to display SBOM ingestion errors (implemented in Show SBOM ingestion errors on the project level... (#471317 - closed))