Skip to content

Add parser for CycloneDX properties

What does this MR do and why?

Background

This MR is one of four parts for implementing a CI report parser for CycloneDX Software Bill of Materials (SBoM) documents.

  1. Add data structures for SBoM report parsing (!92813 - merged)
  2. Add CycloneDX report parser (!92821 - merged)
  3. Add CycloneDX report validation (!92823 - merged)
  4. Add parser for CycloneDX properties (!93219 - merged) 👈 You are here.

These reports will be be outputted by CI jobs and stored as job artifacts (!91510 (merged)). The reports will be parsed (implemented in this MR), and then passed to a report ingestion service which will store the report objects in the database. The resulting data can be used as a software inventory, and will eventually be used to determine if a given project or dependency is affected by a known vulnerability.

This MR

Adds a class for parsing GitLab properties from the SBoM document. These properties are documented on the GitLab CycloneDX property taxonomy.

Properties are an array of key/value pairs which are currently being used to store Source information (see Data Dictionary). Properties are located at .metadata.properties in the CycloneDX report. A single report may have only one source, and all components in the report are considered to originate from that source. A source may have multiple types, and the parsing of each source type is delegated to a separate parser (only the dependency_scanning type is implemented in this MR).

Data Dictionary

  • Component: A software dependency, corresponding to the components field on the CycloneDX report.
  • Source: GitLab-specific information about how the component was introduced to the project (ex: via Gemfile.lock or a container image)

FAQ

How to set up and validate locally

Start the rails console:

bundle exec rails c

Run this Ruby code:

json_data = URI.open('https://gitlab.com/-/snippets/2378046/raw/main/gl-sbom-npm-npm.cdx.json').read
report = Gitlab::Ci::Reports::Sbom::Report.new
Gitlab::Ci::Parsers::Sbom::Cyclonedx.new(json_data, report).parse!

pp report.source

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Brian Williams

Merge request reports

Loading