Gemnasium not aligned with GitLab CycloneDX Property Taxonomy

Summary

Dependency Scanning (Gemnasium) generates CycloneDX SBOMs that don't adhere to the GitLab CycloneDX Property Taxonomy.

Property	Description	Example values	Property of
`gitlab:dependency_scanning:input_file:path`	The path, relative to the root of the repository, to the file analyzed to produce the dependency. Usually, the lock file.	`package-lock.json`, `Gemfile.lock`, `go.sum`	`metadata`, `component`
`gitlab:dependency_scanning:package_manager:name`	The name of the package manager associated with the dependency	`npm`, `bundler`, `go`	`metadata`, `component`
`gitlab:meta:schema_version`	Used by GitLab to determine how to parse the properties in a report. Must be `1`.	`1`	`metadata`

These properties don't match what's generated by Gemnasium. See gl-sbom-npm-yarn.cdx.json for instance.

These properties are already used during SBOM ingestion. See https://gitlab.com/gitlab-org/gitlab/-/blob/de60165d4ea43d2d65fbfed473cef9c4907b721b/lib/gitlab/ci/parsers/sbom/cyclonedx_properties.rb#L23

Steps to reproduce

Include the Dependency Scanning (DS) CI template.
Trigger a pipeline.
Open the CycloneDX SBOMs created by the DS jobs.
Check JSON path .metadata.properties[].name.

Example Project

https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/blob/fa997bd76720541060da45a80bbec8a7dd826a1d/qa/expect/js-yarn-v2/default/gl-sbom-npm-yarn.cdx.json

What is the current bug behavior?

metadata has the following properties:

gitlab:dependency_scanning:input_file
gitlab:dependency_scanning:package_manager

What is the expected correct behavior?

metadata should instead have the following properties:

gitlab:dependency_scanning:input_file:path
gitlab:dependency_scanning:package_manager:name

Relevant logs and/or screenshots

Excerpt of https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/blob/fa997bd76720541060da45a80bbec8a7dd826a1d/qa/expect/js-yarn-v2/default/gl-sbom-npm-yarn.cdx.json

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:e1f33e25-ca1b-4c17-8d2d-705f13471e3d",
  "version": 1,
  "metadata": {
    "properties": [
      {
        "name": "gitlab:dependency_scanning:input_file",
        "value": "yarn.lock"
      },
      {
        "name": "gitlab:dependency_scanning:package_manager",
        "value": "yarn"
      }
    ]
  }
}

Possible fixes

Update Gemnasium to generate the expected properties for CycloneDX SBOM metadata.

Implementation plan

Change the constants used for property names. https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/blob/fa997bd76720541060da45a80bbec8a7dd826a1d/cyclonedx/convert.go#L26
Update unit tests. https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/blob/fa997bd76720541060da45a80bbec8a7dd826a1d/cyclonedx/convert_test.go#L64
Update expected Cyclone SBOMs. https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/blob/master/qa/expect
Release new version.

/cc @gonzoyumo @bwill @adamcohen

Edited Oct 17, 2023 by Adam Cohen