Add CycloneDX report validation
What does this MR do and why?
Background
- Issue: #366194 (closed)
- Epic: &8024 (closed)
This MR is one of four parts for implementing a CI report parser for CycloneDX Software Bill of Materials (SBoM) documents.
- Add data structures for SBoM report parsing (!92813 - merged)
- Add CycloneDX report parser (!92821 - merged)
-
Add CycloneDX report validation (!92823 - merged)
👈 You are here. - Add parser for CycloneDX properties (!93219 - merged)
These reports will be be outputted by CI jobs and stored as job artifacts (!91510 (merged)). The reports will be parsed (implemented in this MR), and then passed to a report ingestion service which will store the report objects in the database. The resulting data can be used as a software inventory, and will eventually be used to determine if a given project or dependency is affected by a known vulnerability.
This MR
Adds a validator which ensures that the report is valid according to the specification before parsing data, allowing us to make assumptions during parsing. The JSON schema is sourced from https://github.com/CycloneDX/specification/blob/master/schema/bom-1.4.schema.json. Currently, only specification version 1.4 is supported.
Data Dictionary
- Component: A software dependency, corresponding to the components field on the CycloneDX report.
- Source: GitLab-specific information about how the component was introduced to the project (ex: via
Gemfile.lock
or a container image)
FAQ
- Does this need a changelog entry / feature flag?
- No. This code will remain unreachable until the SBoM ingestion service is implemented. The entrypoint for that service will be behind a feature flag. The changelog entry will be added when the feature flag is enabled and removed.
- Where can I find examples of what this report data looks like?
- Where can I read more about the about the CycloneDX specification?
- Refer to the specification documentation and other resources on cyclonedx.org.
- Where can I read more about how this data will be handled downstream?
How to set up and validate locally
Start the rails console:
bundle exec rails c
Run this Ruby code:
json_data = '{}'
report = Gitlab::Ci::Reports::Sbom::Report.new
Gitlab::Ci::Parsers::Sbom::Cyclonedx.new(json_data, report).parse!
pp report.errors
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.