Skip to content

Add CycloneDX report parser

What does this MR do and why?

Background

This MR is one of four parts for implementing a CI report parser for CycloneDX Software Bill of Materials (SBoM) documents.

  1. Add data structures for SBoM report parsing (!92813 - merged)
  2. Add CycloneDX report parser (!92821 - merged) 👈 You are here.
  3. Add CycloneDX report validation (!92823 - merged)
  4. Add parser for CycloneDX properties (!93219 - merged)

These reports will be be outputted by CI jobs and stored as job artifacts (!91510 (merged)). The reports will be parsed (implemented in this MR), and then passed to a report ingestion service which will store the report objects in the database. The resulting data can be used as a software inventory, and will eventually be used to determine if a given project or dependency is affected by a known vulnerability.

This MR

Adds the parser which processes the JSON data and outputs it via the report data structures added in Add data structures for SBoM report parsing (!92813 - merged).

Data Dictionary

  • Component: A software dependency, corresponding to the components field on the CycloneDX report.
  • Source: GitLab-specific information about how the component was introduced to the project (ex: via Gemfile.lock or a container image)

FAQ

How to set up and validate locally

Start the rails console:

bundle exec rails c

Run this Ruby code:

json_data = URI.open('https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/raw/add14250d79425e40d2d7724de34a3906d826fda/qa/expect/js-npm/default/cyclonedx-npm-npm.json').read
report = Gitlab::Ci::Reports::Sbom::Report.new
Gitlab::Ci::Parsers::Sbom::Cyclonedx.new(json_data, report).parse!

pp report.components

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Brian Williams

Merge request reports

Loading