Add classes for fetching SBOM components
What does this MR do and why?
This MR adds the following new classes:
-
Gitlab::LicenseScanning::PipelineComponents
which takes apipeline
as input. -
Gitlab::LicenseScanning::BranchComponents
which takes aproject
andbranch_ref
as input.
These classes fetch and parse the SBOM artifact from the pipeline, and return an array of Hashie::Mash
objects which contain the following fields:
name
version
purl_type
The classes introduced in this MR are required by the new license scanning implementation that is a part of &9400 (closed). This new approach relies on SBoM components instead of a license scanning report and will allow us to remove the need for a separate license scanning job. Specifically, the classes will be used to complete the implementation of ::Gitlab::LicenseScanning::SbomScanner
which in turn will be used in place of ::Gitlab::LicenseScanning::ArtifactScanner
once the FF associated with the epic is rolled out.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #384536 (closed)