Skip to content

Add classes for fetching SBOM components

Adam Cohen requested to merge 384536-retrieve-sbom-components-for-pipeline into master

What does this MR do and why?

This MR adds the following new classes:

  • Gitlab::LicenseScanning::PipelineComponents which takes a pipeline as input.
  • Gitlab::LicenseScanning::BranchComponents which takes a project and branch_ref as input.

These classes fetch and parse the SBOM artifact from the pipeline, and return an array of Hashie::Mash objects which contain the following fields:

  • name
  • version
  • purl_type

The classes introduced in this MR are required by the new license scanning implementation that is a part of &9400 (closed). This new approach relies on SBoM components instead of a license scanning report and will allow us to remove the need for a separate license scanning job. Specifically, the classes will be used to complete the implementation of ::Gitlab::LicenseScanning::SbomScanner which in turn will be used in place of ::Gitlab::LicenseScanning::ArtifactScanner once the FF associated with the epic is rolled out.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #384536 (closed)

Edited by Oscar Tovar

Merge request reports

Loading