Add parser for CycloneDX properties

What does this MR do and why?

Background

• Issue: #366194 (closed)
• Epic: &8024 (closed)

This MR is one of four parts for implementing a CI report parser for CycloneDX Software Bill of Materials (SBoM) documents.

1. Add data structures for SBoM report parsing (!92813 - merged)
2. Add CycloneDX report parser (!92821 - merged)
3. Add CycloneDX report validation (!92823 - merged)
4. Add parser for CycloneDX properties (!93219 - merged) 👈 You are here.

These reports will be be outputted by CI jobs and stored as job artifacts (!91510 (merged)). The reports will be parsed (implemented in this MR), and then passed to a report ingestion service which will store the report objects in the database. The resulting data can be used as a software inventory, and will eventually be used to determine if a given project or dependency is affected by a known vulnerability.

This MR

Adds a class for parsing GitLab properties from the SBoM document. These properties are documented on the GitLab CycloneDX property taxonomy.

Properties are an array of key/value pairs which are currently being used to store Source information (see Data Dictionary). Properties are located at .metadata.properties in the CycloneDX report. A single report may have only one source, and all components in the report are considered to originate from that source. A source may have multiple types, and the parsing of each source type is delegated to a separate parser (only the dependency_scanning type is implemented in this MR).

Data Dictionary

• Component: A software dependency, corresponding to the components field on the CycloneDX report.
• Source: GitLab-specific information about how the component was introduced to the project (ex: via Gemfile.lock or a container image)

FAQ

• Does this need a changelog entry / feature flag?
  • No. This code will remain unreachable until the SBoM ingestion service is implemented. The entrypoint for that service will be behind a feature flag. The changelog entry will be added when the feature flag is enabled and removed.
• Where can I find examples of what this report data looks like?
  • https://gitlab.com/-/snippets/2378046
• Where can I read more about the about the CycloneDX specification?
  • Refer to the specification documentation and other resources on cyclonedx.org.
• Where can I read more about how this data will be handled downstream?
  • SBoM ingestion service
  • database design spike

How to set up and validate locally

Start the rails console:

bundle exec rails c

Run this Ruby code:

json_data = URI.open('https://gitlab.com/-/snippets/2378046/raw/main/gl-sbom-npm-npm.cdx.json').read
report = Gitlab::Ci::Reports::Sbom::Report.new
Gitlab::Ci::Parsers::Sbom::Cyclonedx.new(json_data, report).parse!

pp report.source

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.