Rename CycloneDX files in gemnasium analyzers to follow specification
Proposal
Based on the File naming discussion here, we decided that in order to adhere to the Recognized file patterns in the CycloneDX specification, we should update the naming convention for CycloneDX files produced by the gemnasium analyzers and switch from cyclonedx-<package-type>-<package-manager>.json to gl-sbom-<package-type>-<package-manager>.cdx.json. The purpose of this issue is to implement that change.
Implementation plan
-
Update gemnasium -
Update the setOutputFilePath function to use gl-sbom-<package-type>-<package-manager>.cdx.json:- fileName := fmt.Sprintf("cyclonedx-%s-%s.json", sbom.PackageType, sbom.PackageManager) + fileName := fmt.Sprintf("gl-sbom-%s-%s.cdx.json", sbom.PackageType, sbom.PackageManager) -
Update the names of all the cyclonedx-*.jsonfiles in the qa/expect dir togl-sbom-<package-type>-<package-manager>.cdx.json. -
Update the components[].files.pathreferences in the followingsbom-manifest.jsonfiles to use the newgl-sbom-*.cdx.jsonfilename: -
Update all the cyclonedx-*.jsonreferences in the image specs ingemnasiumto usegl-sbom-<package-type>-<package-manager>.cdx.json: -
Update the reference to cyclonedx-*.jsonin the image test job to usegl-sbom-<package-type>-<package-manager>.cdx.json:artifacts: when: always paths: - tmp/qa-*/fixtures/**/gl-dependency-scanning-report.json - - tmp/qa-*/fixtures/**/cyclonedx-*.json + - tmp/qa-*/fixtures/**/gl-sbom-*.cdx.json - tmp/qa-*/fixtures/**/sbom-manifest.json -
Rename the EXPECTED_CYCLONEDX_ARTIFACTStogl-sbom-*.cdx.jsonin the following QA integration tests:
Implemented in the following MR: Rename cyclonedx files (gitlab-org/security-products/analyzers/gemnasium!346 - merged)
-
-
Update all the cyclonedx-*.jsonreferences to usegl-sbom-<package-type>-<package-manager>.cdx.jsonin the integration-test project:- spec/fixtures/multi-project/subdirs/sbom-manifest.json
- spec/expect/multi-project/subdirs/sbom-manifest.json
- README.md
Implemented in the following MR: Rename cyclonedx files in docs and examples (gitlab-org/security-products/analyzers/integration-test!30 - merged)
-
Update the Dependency-Scanning.gitlab-ci.yml template and the Dependency Scanning docs -
Update the Dependency-Scanning.gitlab-ci.yml template to use gl-sbom-*.cdx.json:artifacts: paths: - - "**/cyclonedx-*.json" + - "**/gl-sbom-*.cdx.json" -
Update the Dependency Scanning docs and replace references to cyclonedx-*.jsonwithgl-sbom-<package-type>-<package-manager>.cdx.json.
Implemented in the following MR: Rename cyclonedx artifact in DS template (!90870 - merged)
-
Risks
This is a breaking change, however, the CycloneDX Software Bill of Materials is a beta feature and "the reports are subject to change during the beta period", so we should be free to change this without worrying about impacting anyone.