Include user-managed libraries in the Cyclone DX SBOM output file
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Description
Currently, GitLab dependency scan is able to detect third-party library components in a project.
The detected components with vulnerabilities associated with these components are shown in the ‘Security & Compliance -> Dependency list’ of the project.
The dependency scan also outputs a Software Bill of Materials (SBOM) in Cyclone DX format.
However, user-managed libraries (e.g., loose javascript files such as jquery-validation 1.17.0) are not captured in the Cyclone DX SBOM output file. Instead, it is only shown in the ‘Security & Compliance -> Dependency list` of the project.
Proposal
Have the Cyclone DX SBOM output also include user-managed libraries (e.g., loose javascript files such as jquery-validation 1.17.0) as they are also considered a third-party component.
SBOMs are essential artifacts used to monitor supply chain security. There is a need to generate accurate SBOMs for a Gitlab project with the inclusion of user-managed libraries.
- Impact on the customer of not having this: It will be challenging to rely on GitLab's SBOM output
- The current solution for this problem is to use other dependency scanners