Fix missing SBOM component link (!128111) · Merge requests · GitLab.org / GitLab

Philip Cunningham requested to merge philipcunningham-add-link-to-components-sbom-scanner-414250 into master Aug 01, 2023

What does this MR do and why?

this merge request threads through the path to a file for a given sbom in order to link to it from the user interface. this replicates the behaviour of the old license scanning feature.

Performance

Known Limitations

sometimes an sbom report will omit a path for a dependency, which means it won't link to the lock file.

Related Issue(s)

Add hyperlink to the components (License Scanning SBOM Scanner)

Screenshots or screen recordings

Before	After

Before

After

FF `compressed_package_metadata_query` enabled

FF `compressed_package_metadata_query` disabled

please note: the discrepancy here is that i previously only synced my local package metadata before we introduce v2, which is why licenses are rendered here

How to set up and validate locally

spin up your gdk
create a new project
create a file called build.gradle in the project's repository with the following contents:

// Plugins Gradle

buildscript {
  repositories {
    maven {
      url "https://plugins.gradle.org/m2/"
    }
  }
  dependencies {
    classpath "com.cyclonedx:cyclonedx-gradle-plugin:1.5.0"
  }
}

plugins {
    id 'org.springframework.boot' version '2.3.9.RELEASE'
    id 'io.spring.dependency-management' version '1.0.11.RELEASE'
    id 'java'
    id "io.freefair.lombok" version "5.3.0"
}

apply plugin: "org.cyclonedx.bom"

// Description de notre application
group = 'com.soprasteria.transverse'
version = '0.0.1-SNAPSHOT'
// Version de Java du code source
sourceCompatibility = '11'

// Ou aller chercher les dépendances
repositories {
    mavenCentral()
    maven { url 'https://repo.spring.io/milestone' }
}

// Dépendances de notre application
dependencies {
    
    /**************************************************************************************/
    /* Stack principale : quel est notre socle technique pour chaque couche ?             */
    /**************************************************************************************/
    // On fait une appli web avec spring boot
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-web'
    // On veut utiliser Tomcat en serveur d'application
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-tomcat'
    // Et évidemment on la sécurise...
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-security'
    // ...avec OAuth2
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-oauth2-client'
    implementation group: 'org.springframework.security.oauth', name: 'spring-security-oauth2', version: '2.3.6.RELEASE'
    // Et donc on fait des appels HTTP, ne serait-ce que pour l'authentification
    implementation group: 'org.apache.httpcomponents', name: 'httpclient', version: '4.5.7' //4.5.13
    // On va créer une API REST auto-descriptive : Spring HATEOAS sur Spring Data JPA
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-data-rest'
    // On aime bien les annotations @NotBlank
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-validation'
    // Notre couche d'accès aux données se basera sur Spring Data JPA (Java Persistance API)
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-data-jpa'
    // Les pools de connexion à la BDD seront gérés par Hikari
    implementation group: 'com.zaxxer', name: 'HikariCP', version: '3.2.0' //4.0.1
    // La base de données est sous Postgresql
    runtimeOnly 'org.postgresql:postgresql'

    /**************************************************************************************/
    /* Dépendances tellement communes dans le monde qu'elles s'apppellent "commons" :)    */
    /**************************************************************************************/
    implementation group: 'commons-io', name: 'commons-io', version: '2.7'
    implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.11'
    implementation group: 'org.apache.commons', name: 'commons-collections4', version: '4.4'

    /**************************************************************************************/
    /* Dépendances pour les fonctionnalités métier                                        */
    /**************************************************************************************/
    // On fait des appels SSH depuis Java
    implementation group: 'com.hierynomus', name: 'sshj', version: '0.30.0'
    // On doit explicitement importer boucycastle. Pour les versions exactes se référer au
    // fichier de build sshj : https://search.maven.org/artifact/com.hierynomus/sshj/0.30.0/jar
    implementation group: 'org.bouncycastle', name: 'bcprov-jdk15on', version: '1.66'
    implementation group: 'org.bouncycastle', name: 'bcpkix-jdk15on', version: '1.66'
    // On génère des fichiers Excel *.xlsx
    implementation group: 'org.apache.poi', name: 'poi-ooxml', version: '5.0.0'
    // On envoie des mails
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-mail'
    // On fait du web-scraping pour inclure des éléments d'autres pages web
    // jsoup HTML parser library @ https://jsoup.org/
    implementation group: 'org.jsoup', name: 'jsoup', version: '1.13.1'
    // récupération des infos utilisateurs en LDAP
    implementation group: 'org.springframework.ldap', name: 'spring-ldap-core', version: '2.3.3.RELEASE'
    
    /**************************************************************************************/
    /* Dépendances pour la supervision technique de l'application                         */
    /**************************************************************************************/
    // Actuator : génération de métriques sur notre appli afin de pouvoir la monitorer
    implementation group: 'org.springframework.boot', name: 'spring-boot-starter-actuator'
    // Hawtio : console web pour explorer ces métriques
    implementation group: 'io.hawt', name: 'hawtio-springboot', version: '2.12.1'

    /**************************************************************************************/
    /* Dépendances pour l'écriture du code (faut bien se simplifier la vie aussi !)       */
    /**************************************************************************************/
    
    //Junit & co : pour les TU
    testImplementation 'org.springframework.boot:spring-boot-starter-test'
    testImplementation group: 'org.assertj', name: 'assertj-core', version: '3.11.1'

}

create a file called .gitlab-ci.yml in the project's repository with the following contents:

include:
    - template: Security/Dependency-Scanning.gitlab-ci.yml

go to the pipline page and make sure the pipeline succeeds
visit the license compliance page under the security and compliance tab in the side navigation

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Aug 11, 2023 by Philip Cunningham

Fix missing SBOM component link