Add support for cyclonedx specVersion 1.5 (!138852) · Merge requests · GitLab.org / GitLab

Igor Frenkel requested to merge 431435-support-cyclonedx-spec-version-1.5 into master Dec 05, 2023

What does this MR do and why?

Update the cyclonedx sbom parser to support json schema specVersion both 1.4 and 1.5.

The specVersion validation has been moved out of Gitlab::Ci::Parsers::Sbom::Cyclonedx to simplify the validator instantiation logic.

Note: The json_schemer gem does not seem to support local file refs without the file:// prefix (as specified in the json schema spec), therefore a manual step is needed to change the schemas below to include the contents of the local files directly. This means that the official schema gets the spdx and signature references replaced with the contents of the spdx file and signature file.

How to set up and validate locally

Create branch with following changes:

Add .gitlab-ci.yml

job a:
  script:
    - echo 'job a'
  artifacts:
    reports:
      cyclonedx: "sbom.1.5.json"

Add sbom.1.5.json to the repository.

Once pipeline completes, go to the pipeline page and click on Licenses tab (note: that url can have .json appended for easier viewing of the results).

Under master branch the license list is empty.

Under 431435-support-cyclonedx-spec-version-1.5 branch dependencies and their licenses are shown.

(Contrast this behaviour when chasing the above steps to use sbom.1.4.json - both branches show results.)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #431435 (closed)

Edited Dec 07, 2023 by Igor Frenkel

Add support for cyclonedx specVersion 1.5

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports