Add data structures for SBoM report parsing
What does this MR do and why?
Background
- Issue: #366194 (closed)
- Epic: &8024 (closed)
This MR is one of four parts for implementing a CI report parser for CycloneDX Software Bill of Materials (SBoM) documents.
-
Add data structures for SBoM report parsing (!92813 - merged)
👈 You are here. - Add CycloneDX report parser (!92821 - merged)
- Add CycloneDX report validation (!92823 - merged)
- Add parser for CycloneDX properties (!93219 - merged)
These reports will be be outputted by CI jobs and stored as job artifacts (!91510 (merged)). The reports will be parsed (implemented in this MR), and then passed to a report ingestion service which will store the report objects in the database. The resulting data can be used as a software inventory, and will eventually be used to determine if a given project or dependency is affected by a known vulnerability.
This MR
Adds the initial data structures which will be filled with data from the CycloneDX JSON documents.
Data Dictionary
- Component: A software dependency, corresponding to the components field on the CycloneDX report.
- Source: GitLab-specific information about how the component was introduced to the project (ex: via
Gemfile.lock
or a container image)
FAQ
- Does this need a changelog entry / feature flag?
- No. This code will remain unreachable until the SBoM ingestion service is implemented. The entrypoint for that service will be behind a feature flag. The changelog entry will be added when the feature flag is enabled and removed.
- Where can I find examples of what this report data looks like?
- Where can I read more about the about the CycloneDX specification?
- Refer to the specification documentation and other resources on cyclonedx.org.
- Where can I read more about how this data will be handled downstream?
How to set up and validate locally
N/A
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.