Draft: Ingest source_package_name to Sbom::ComponentVersion
What does this MR do and why?
Ingest source_package_name to component_version. We need this to properly match container scanning finding of Trivy scanner.
This code is cherry-picked from previous iteration of this solution !136241 (closed)
How to set up and validate locally
Using GDK
- Create a project with next content:
.gitlab-ci.yml
variables:
CS_IMAGE: 'golang:1.20-alpine'
include:
- template: Jobs/Container-Scanning.gitlab-ci.yml
- Run a pipeline and make sure that
container_scanning:cyclonedx
report is created
Sbom::ComponentVersion.where(component_id: Sbom::Component.where(purl_type: 'apk').pluck(:id)).all
Ensure that the source_package_name
column has data. Check if the field source_package_name
is equal alpine-baselayout
for a component with name alpine/alpine-baselayout-data
.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #427095 (closed)
Edited by Tetiana Chupryna