Create SBOM report parser

Why are we doing this work

In order to ingest SBoM reports, we need to create a new CI report parser to parse CycloneDX SBoMs.

Relevant links

Implementation references:

• 632e91a1
• a1ce982a
• 69099a4e

Non-functional requirements

• Documentation:
• Feature flag:
• Performance:
  • Report parsing does not negatively impact the performance of GitLab
  • Have someone from groupmemory review the implementation
• Testing:

Implementation plan

1. Add a CycloneDX JSON schema to app/validators/json_schemas/cyclonedx.json
2. Create Gitlab::Ci::Reports::Sbom::Reports. Reports holds a pipeline, sources, and a set of reports
   1. reports will be a set of Gitlab::Ci::Reports::Sbom::Report objects
   2. Each report tracks components, warnings (schema validation), and errors (schema validation)
   3. The relationship between a component and a source needs to be preserved. We can do this by creating a Gitlab::Ci::Reports::Sbom::Component class, and having it store a reference to (not a copy of) the source as an attribute.
   4. Gitlab::Ci::Reports::Sbom::Source will be created. It will collect the dependency file and package manager data, and also calculate the source fingerprint.
3. Create Gitlab::Ci::Parsers::Sbom::Cyclonedx. This will receive a set of job artifacts plus a Reports instance and:
   1. Parse the artifact JSON
   2. If the report is invalid, it will add warnings / errors and move to the next report
   3. Collect source information from the report and add the source object to Reports.
   4. Iterate through .components and add each one to Reports (with associated source data)
4. On ee/app/models/ci/pipeline.rb, add an sbom_reports method which will turn job artifacts into reports and return them. See other implementations.

That's it. The Reports object will be retrieved via the pipeline method and passed to the ingestion service to be stored in the DB.

Verification steps