CycloneDX SBOM export for a CI pipeline

Problem to Solve

Some customers currently rely on a license artifact that results from using the License Compliance template, which is being removed. Customers use this artifact to create custom automation jobs that are tied to a component's license. By providing an API that produces SBOM results from a given pipeline, customers may continue to automate other processes that related to licenses detected in their pipeline. Because this is pipeline-specific, customers may also benefit from getting the SBOM for a specific git tag (release).

Given the current industry focus on Supply Chain Management and providing the Software Bill of Materials (SBOM), I would like to propose a feature request. Add the ability in GitLab to be able to export SBOMs uploaded by CI jobs into a single CycloneDX SBOM. Of note, CycloneDX has now joined the OWASP Foundation.

What does success look like, and how can we measure that?

Users can download a single SBOM that lists all the components detected in a CI pipeline. It includes both application-level dependencies and system-level dependencies.

Proposal

SBOM is exportable via API in CycloneDX format for a given pipeline.

Feature is behind a FF. #333463 (comment 1420680496)

Not in Scope for Alpha release

• Adding any additional data that is not currently available in our SBOMs today
• license information for system dependencies (because #370013 (closed) is required)
• local dependencies
• accessible from the UI
• Group-level SBOM export (see #407453 (closed))

Documentation

TBD: Document feature.

Provide scripts. See #333463 (comment 1496971495)

Document the new API endpoint as alpha (in case we need to tweak it before 17.0). See #333463 (comment 1420680496)

Implementation Plan

Following implementation can be broken down into 4 separate MRs.

MR-1:

• Add pipeline_id and export_type fields to dependency_list_exports table.
• Create index [:pipeline_id]
• Add :pipeline_id exportable type. pipeline_id exportable type can co-exist with the project for this implementation.

MR-2:

• Add MergeSbomService. MergeSbomService should be responsible for merging sbom reports.

MR-3:

• Create a feature flag. Feature Flag issue: #421513 (closed)
• Add create_sbom_export method to generate the merged sbom_export file.
• This should also validate the schema of the merged sbom file. Gitlab::Ci::Parsers::Sbom::Validators::CyclonedxSchemaValidator should be used for validation.
• Add the following API endpoint to generate and download the merged sbom report:
  • • pipeline/:id/dependency_list_exports endpoint to generate the SbomExport in the background using sidekiq.

MR 4:

• Document the feature along with the example script. Provide an example to upload the file as job artifacts. Note: The SBOM export would be uploaded as a normal artifact (like in the script you've shared), and not as a cyclonedx report, otherwise the backend would end up ingesting duplicate SBOM components.
• Enable the feature flag.

MR 5:

• Add e2e tests if required.

Verification steps

TBD

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.