Add CycloneDX report parser
What does this MR do and why?
Background
- Issue: #366194 (closed)
- Epic: &8024 (closed)
This MR is one of four parts for implementing a CI report parser for CycloneDX Software Bill of Materials (SBoM) documents.
- Add data structures for SBoM report parsing (!92813 - merged)
-
Add CycloneDX report parser (!92821 - merged)
👈 You are here. - Add CycloneDX report validation (!92823 - merged)
- Add parser for CycloneDX properties (!93219 - merged)
These reports will be be outputted by CI jobs and stored as job artifacts (!91510 (merged)). The reports will be parsed (implemented in this MR), and then passed to a report ingestion service which will store the report objects in the database. The resulting data can be used as a software inventory, and will eventually be used to determine if a given project or dependency is affected by a known vulnerability.
This MR
Adds the parser which processes the JSON data and outputs it via the report data structures added in Add data structures for SBoM report parsing (!92813 - merged).
Data Dictionary
- Component: A software dependency, corresponding to the components field on the CycloneDX report.
- Source: GitLab-specific information about how the component was introduced to the project (ex: via
Gemfile.lock
or a container image)
FAQ
- Does this need a changelog entry / feature flag?
- No. This code will remain unreachable until the SBoM ingestion service is implemented. The entrypoint for that service will be behind a feature flag. The changelog entry will be added when the feature flag is enabled and removed.
- Where can I find examples of what this report data looks like?
- Where can I read more about the about the CycloneDX specification?
- Refer to the specification documentation and other resources on cyclonedx.org.
- Where can I read more about how this data will be handled downstream?
How to set up and validate locally
Start the rails console:
bundle exec rails c
Run this Ruby code:
json_data = URI.open('https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/raw/add14250d79425e40d2d7724de34a3906d826fda/qa/expect/js-npm/default/cyclonedx-npm-npm.json').read
report = Gitlab::Ci::Reports::Sbom::Report.new
Gitlab::Ci::Parsers::Sbom::Cyclonedx.new(json_data, report).parse!
pp report.components
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.