Use CS_DEFAULT_BRANCH_IMAGE for sbom location

What does this MR do?

Pick up the CS_DEFAULT_BRANCH_IMAGE environment variable and use it as the image in the sbom metadata.

What are the relevant issue numbers?

Use the `CS_DEFAULT_BRANCH_IMAGE` value as the ... (gitlab-org/gitlab#468773 - closed) • Igor Frenkel • 17.5 • On track

Verification

Set variables.

export CS_IMAGE='registry.gitlab.com/gitlab-org/security-products/tests/webgoat/develop:1ea6d6bb5e1e770dae269d5f8866cdefbeb5da70'
export CS_DEFAULT_BRANCH_IMAGE='foo/bar:baz'

Using image current analyzer image:

docker run -it --rm -v "$(pwd):/app" -w "/app" -e CS_IMAGE="$CS_IMAGE" -e CS_DEFAULT_BRANCH_IMAGE="$CS_DEFAULT_BRANCH_IMAGE" registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning:7

jq -c '.metadata|[.properties[1].value, .properties[2].value]' gl-sbom-report.cdx.json

# ["registry.gitlab.com/gitlab-org/security-products/tests/webgoat/develop","1ea6d6bb5e1e770dae269d5f8866cdefbeb5da70"]

Using analyzer image from this MR:

docker run -it --rm -v "$(pwd):/app" -w "/app" -e CS_IMAGE="$CS_IMAGE" -e CS_DEFAULT_BRANCH_IMAGE="$CS_DEFAULT_BRANCH_IMAGE" registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning/tmp/trivy@sha256:64a8c6fc71718496ce638e83bc479c5a0b7a79f0a8dea96a8631147e38c082ff

jq -c '.metadata|[.properties[1].value, .properties[2].value]' gl-sbom-report.cdx.json                                                                     

#["foo/bar","baz"]

Does this MR meet the acceptance criteria?

• Changelog entry added
• Documentation created/updated for GitLab EE, if necessary
• Documentation created/updated for this project, if necessary
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Job definition updated, if necessary
  • Auto-DevOps template
  • Job definition example
  • CI Templates
• Conforms to the code review guidelines
• Conforms to the Go guidelines
• Security reports checked/validated by reviewer