Draft: Add Sbom export API
What does this MR do and why?
- Sbom Export API can be used to download a merged cyclonedx SBOM report generated in a pipeline.
- Merged report contains license information too.
- For simplicity of the first iteration, I am merging only
metadata.tools
andcomponents
of multiple sbom files generated in a pipeline. This behavior is consistent with cyclonedx-cli--merge
command. On a need basis, we can add more merge features to it. - Approach 1:
- The idea is to trigger a
sidekiq background job
after a successful run of a pipeline. - This will generate an
SbomExport
object with a merged JSON file. - The file can be downloaded using the endpoint
pipeline/:id/:sbom_exports/download
. This endpoint will return the JSON file generated by the latest build. This MR has the demo for this approach.
-
Approach 2: The
sbom_exports
API follows the same design asdependency_list_export
API. It works in the following way:a. Using the
api/v4/projects/:project_id/sbom_exports
endpoint a user can generate asbom_exports
which will generate a mergedsbom json
file in the Sidekiq background job.b. Once the status of
sbom_exports
isfinished
, a user can download the generatedmerged json
file using endpointapi/v4/sbom_exports/:export_id/download
.
How to set up and validate locally
here
Approach 1 mentionedCheckout the commit eefc7763304ff51e3f1d1b773a085971a7b9c890
Run the pipeline with CI variable MERGE_SBOM: true
. This can be configured in gitlab-ci.yml
or can be passed directly to pipeline variables.
Run the following curl command to get the file:
curl http://gitlab.localdev:3000/api/v4/pipelines/698/sbom_exports/download \
--header "PRIVATE-TOKEN: TOKEN"
here
Approach 2 mentionedCheckout the commit b0862dabbb25921cc5b3a82f881eeb498c2a7866
Run the following curl command to test the feature:
curl 'http://gitlab.localdev:3000/api/v4/projects/25/sbom_exports' \
-X 'POST' \
--header "PRIVATE-TOKEN: Token" \
--data "pipeline_id=:id"
> {"id":7,"has_finished":false,"self":"http://gitlab.localdev:3000/api/v4/projects/7/sbom_exports","download":"http://gitlab.localdev:3000/api/v4/sbom_exports/7/download"}
curl http://gitlab.localdev:3000/api/v4/sbom_exports/7/download \
--header "PRIVATE-TOKEN: TOKEN"
> JSON data
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.