Create Dependency Scanning SBOM processor

Proposal

Once Continuous vulnerability scans (&7886) has been completed, the rails backend will be able to ingest SBOM reports into the database and use this data to populate the Vulnerability and Dependency List pages. However, there are many steps required before that happens.

The gemnasium* Dependency Scanning analyzers are currently capable of outputting gl-sbom-*.cdx.json SBOMs, so while we're waiting for Continuous vulnerability scans (&7886) to be completed, we can create a Dependency Scanning SBOM processor that's capable of reading these gl-sbom-*.cdx.json files and producing a gl-dependency-scanning-report.json file.

This has the following benefits:

  • We start using the new SBOM jobs and the corresponding CI template.
  • Users can leverage these new SBOM jobs to scan projects that won't be supported by Gemnasium (like Python 3.7).
  • Users can opt-in, prepare for the new CI template with SBOM jobs, and adjust the CI config of their projects.

This will allow for a smoother transition once Continuous vulnerability scans (&7886) is ready, since we'll already have been making use of these gl-sbom-*.cdx.json SBOM files to generate the Dependency Scanning reports.

The purpose of this issue is to create a Dependency Scanning SBOM processor which will take a CycloneDX SBOM report as input and produce a gl-dependency-scanning-report.json report.

We need to wait until Create artifact report type for SBOM files (#360766 - closed) has been completed before we can start this.

Also, we need to figure out how long it will take to implement this, since this will ultimately be throwaway work that the rails backend will implement when Continuous vulnerability scans (&7886) has been completed, so ideally this should be a small amount of work.

Further details

Please see this comment for more details:

At some point we have two CI templates (stable and latest), or a single CI template that has two behaviors depending on a CI variable:

  • Legacy gemnasium* scanning jobs generate the SBOMs and the DS reports, like today.
  • New jobs generate the SBOMs, and one or multiple scanning jobs consume these SBOMs to generate DS reports.

EDIT: Either way, we'll need extra integration test for the new CI template, or the existing CI template when the new behavior is enabled. See #364307 (comment 972153562)

For the latter, I see two options:

  • Reuse the existing gemnasium* jobs to parse SBOMs instead of processing dependency files.
  • Introduce a new Dependency Scanning job that parses all the SBOM and generate a single DS report.

The latter seems easier, but we should explore the pros and cons.

Edited by Adam Cohen