Skip to content

Add data structures for SBoM report parsing

Brian Williams requested to merge bwill/sbom-report-parser/structures into master

What does this MR do and why?

Background

This MR is one of four parts for implementing a CI report parser for CycloneDX Software Bill of Materials (SBoM) documents.

  1. Add data structures for SBoM report parsing (!92813 - merged) 👈 You are here.
  2. Add CycloneDX report parser (!92821 - merged)
  3. Add CycloneDX report validation (!92823 - merged)
  4. Add parser for CycloneDX properties (!93219 - merged)

These reports will be be outputted by CI jobs and stored as job artifacts (!91510 (merged)). The reports will be parsed (implemented in this MR), and then passed to a report ingestion service which will store the report objects in the database. The resulting data can be used as a software inventory, and will eventually be used to determine if a given project or dependency is affected by a known vulnerability.

This MR

Adds the initial data structures which will be filled with data from the CycloneDX JSON documents.

Data Dictionary

  • Component: A software dependency, corresponding to the components field on the CycloneDX report.
  • Source: GitLab-specific information about how the component was introduced to the project (ex: via Gemfile.lock or a container image)

FAQ

How to set up and validate locally

N/A

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Brian Williams

Merge request reports

Loading