Add sbom component database and models

Why are we doing this work

This issue provides the implementation plan for creating a backing store for dependencies (and other components) in the database rather than object storage security reports.

Relevant links

This is part of a wider epic to add SBOM ingestion: &8024 (closed)

Non-functional requirements

  • Documentation: tbd
  • Feature flag: tbd
  • Performance: tbd
  • Testing:
    • Verify presence of DB attributes
    • Verify relationships
    • Verify not-null constraints

Implementation plan

SBOM_DB_phased_implementation

Create these tables w/ schema migrations:

create_table :sbom_components do |t|
  t.integer :type, null: false, limit: 2
  t.varchar :name, null: false
end

create_table :sbom_component_versions do |t|
  t.references :sbom_components
    index: true,
    null: false,
    foreign_key: { on_delete: :cascade }

  t.varchar :version, null: false
end

create_table :sbom_component_sources do |t|
  t.references :project_id,
    index: true,
    null: false,
    foreign_key: { to_table: :projects, on_delete: :cascade }

  t.integer :type, null: false, limit: 2
  t.jsonb :source
end

create_table :sbom_project_component_versions do |t|
  t.references :sbom_component_versions,
    index: true,
    null: false,
    foreign_key: { on_delete: :cascade }

  t.references :sbom_component_sources,
    index: true,
    null: false,
    foreign_key: { on_delete: :cascade }
end

create_table :sbom_component_sources_ci_builds do |t|
  t.references :ci_builds,
    index: true,
    null: false,
    foreign_key: { on_delete: :cascade }

  t.references :sbom_component_sources,
    index: true,
    null: false,
    foreign_key: { on_delete: :cascade }
end

Create these models:

  • Sbom::Component
  • Sbom::ComponentVersion
  • Sbom::Source
  • Sbom::Occurrence
Edited by Brian Williams