[Spike] - Determine how SBoM ingestion should behave in relation to child pipelines
Summary
SBoM ingestion is currently naive about child pipelines and multi-project pipelines. We should define what the behavior should be in this case. For example, what should we do if SBoM reports are uploaded in a child pipeline? Should these dependencies go on the parent project or the downstream project, or should we not support this?
Proposal
- When a pipeline has children, we wait until all pipelines are complete and then ingest all reports in the hierarchy for the same project.
- When marking vulnerabilities as resolved (or removing dependencies), we should combine all reports in the pipeline hierarchy.
- When displaying the pipeline that the reports / vulnerabilities were detected in (e.g. latest successful scan) we should reference the root pipeline
- Downstream pipelines on different projects are simply ignored.
Edited by Alana Bellucci