Skip to content

Add SBoM Component tables and models

Brian Williams requested to merge bwill/add-sbom-components into master

What does this MR do and why?

This is part one of a three-phase implementation for adding new models to support the tracking of Software Bill of Materials (SBoM) components in GitLab. SBoM is used to create an inventory of the software components which make up an application. We will have dependency scanning / container scanning CI jobs produce CycloneDX SBoM reports as job artifacts. These job artifacts will be consumed by Rails, parsed, and then stored inside these tables.

We're using the following initial schema which was determined from a research spike

SBOM_DB_phased_implementation

Migrations

$ scripts/db_tasks db:migrate:down VERSION=20220616182015
main: == 20220616182015 CreateSbomComponentVersions: reverting ======================
main: -- drop_table(:sbom_component_versions, {})
main:    -> 0.0046s
main: == 20220616182015 CreateSbomComponentVersions: reverted (0.0087s) =============
$ scripts/db_tasks db:migrate:down VERSION=20220616182001
main: == 20220616182001 CreateSbomComponents: reverting =============================
main: -- drop_table(:sbom_components, {})
main:    -> 0.0035s
main: == 20220616182001 CreateSbomComponents: reverted (0.0054s) ====================
$ scripts/db_tasks db:migrate
main: == 20220616182001 CreateSbomComponents: migrating =============================
main: -- create_table(:sbom_components, {})
main: -- quote_column_name(:name)
main:    -> 0.0000s
main:    -> 0.0052s
main: == 20220616182001 CreateSbomComponents: migrated (0.0059s) ====================
main: == 20220616182015 CreateSbomComponentVersions: migrating ======================
main: -- create_table(:sbom_component_versions, {})
main: -- quote_column_name(:version)
main:    -> 0.0000s
main:    -> 0.0056s
main: == 20220616182015 CreateSbomComponentVersions: migrated (0.0058s) =============

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Brian Williams

Merge request reports

Loading