Skip to content

Use CycloneDX SBOMs licenses in license scanner

Marcos Rocha requested to merge mc_rocha-use-sbom-license-in-scanner-415935 into master

What does this MR do and why?

This MR updates our code to use CycloneDX SBOMs licenses in license scanner as described here.

Relate to: #415935

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshot_2024-08-29_at_3.12.02_PM

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Enable the license_scanning_with_sbom_licenses feature flag on the rails console
  2. Create a new project
  3. Add a .gitlab-ci.yml with the content
include:
  - template: Jobs/Dependency-Scanning.gitlab-ci.yml

gemnasium-dependency_scanning:
  stage: test
  script: 'pwd'
  artifacts:
    reports:
      cyclonedx: gl-sbom-gem-bundler.cdx.json
  1. Add an empty Gemfile.lock file
  2. Add a file called gl-sbom-gem-bundler.cdx.json with the content
{
    "bomFormat": "CycloneDX",
    "specVersion": "1.4",
    "serialNumber": "urn:uuid:a15e529c-2113-4a11-a694-6bc3ea4e2b53",
    "version": 1,
    "metadata": {
        "timestamp": "2022-02-23T08:02:39Z",
        "tools": [
            {
                "vendor": "GitLab",
                "name": "Gemnasium",
                "version": "2.34.0"
            }
        ],
        "authors": [
            {
                "name": "GitLab",
                "email": "support@gitlab.com"
            }
        ],
        "properties": [
            {
                "name": "gitlab:dependency_scanning:input_file:path",
                "value": "Gemfile.lock"
            },
            {
                "name": "gitlab:dependency_scanning:package_manager:name",
                "value": "bundler"
            },
            {
                "name": "gitlab:meta:schema_version",
                "value": "1"
            }
        ]
    },
    "components": [
        {
            "name": "sidekiq",
            "version": "4.2.10",
            "purl": "pkg:gem/sidekiq@4.2.10",
            "type": "library",
            "bom-ref": "pkg:gem/sidekiq@4.2.10",
            "licenses": [
                {
                    "license": {
                        "name": "Custom-License"
                    }
                }
            ]
        },
        {
            "name": "activesupport",
            "version": "5.1.4",
            "purl": "pkg:gem/activesupport@5.1.4",
            "type": "library",
            "bom-ref": "pkg:gem/activesupport@5.1.4"
        }
    ]
}
  1. Go to Build > Pipelines
  2. Click on the last pipeline
  3. Click on the Licenses tab
  4. Click in Manage Licenses and verify the dependency sidekiq has the Custom-License License defined in the Sbom report and the activesupport has the MIT License license defined in license database
Edited by Marcos Rocha

Merge request reports