Skip to content

Add CycloneDX report validation

What does this MR do and why?

Background

This MR is one of four parts for implementing a CI report parser for CycloneDX Software Bill of Materials (SBoM) documents.

  1. Add data structures for SBoM report parsing (!92813 - merged)
  2. Add CycloneDX report parser (!92821 - merged)
  3. Add CycloneDX report validation (!92823 - merged) 👈 You are here.
  4. Add parser for CycloneDX properties (!93219 - merged)

These reports will be be outputted by CI jobs and stored as job artifacts (!91510 (merged)). The reports will be parsed (implemented in this MR), and then passed to a report ingestion service which will store the report objects in the database. The resulting data can be used as a software inventory, and will eventually be used to determine if a given project or dependency is affected by a known vulnerability.

This MR

Adds a validator which ensures that the report is valid according to the specification before parsing data, allowing us to make assumptions during parsing. The JSON schema is sourced from https://github.com/CycloneDX/specification/blob/master/schema/bom-1.4.schema.json. Currently, only specification version 1.4 is supported.

Data Dictionary

  • Component: A software dependency, corresponding to the components field on the CycloneDX report.
  • Source: GitLab-specific information about how the component was introduced to the project (ex: via Gemfile.lock or a container image)

FAQ

How to set up and validate locally

Start the rails console:

bundle exec rails c

Run this Ruby code:

json_data = '{}'
report = Gitlab::Ci::Reports::Sbom::Report.new
Gitlab::Ci::Parsers::Sbom::Cyclonedx.new(json_data, report).parse!

pp report.errors

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Brian Williams

Merge request reports

Loading