Create an sbom component list finder
Why are we doing this work
In order to supply a dependency list from sbom_components in the database, a service is required to pull this data from the database.
This is an alternative to the current Security::DependencyListService.
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
Implementation plan
Create service Security::SbomComponentListService.
-
query sbom components database - instantiated on
pipelineand component type - return list of
sbom_component_versions - accept sort parameters as in Security::DependencyListService
- instantiated on
-
join components to vulnerabilities -
filter by packager params -
join component result to license compliance report - ensure component result takes an
add_dependencycall for licenses
- ensure component result takes an
-
returned result
Get vulns for sbom components
The key used by the vuln finder against the security reports is:
The sbom_component_versions query will evolve to add a join on a compare key with sbom_sources.
Get licenses for sbom components
The key used in security reports to match licenses is:
Edited by Igor Frenkel