Generate SBOM in SPDX format

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem to solve

Today, Gitlab customers can generate Cyclone DX formatted SBOMs using our dependency and container scanning features. Many customers would prefer to generate these SBOMs in the SPDX format instead. This issue tracks the work required to generate SPDX SBOMs using Gitlab's dependency and container scanning features.

Resources

• The Cyclone DX parser

Proposal

• Update Dependency and Container Scanning to return sboms in spdx format.
• Update rails monolith to be able to parse spdx.

(Older) Draft Proposals

Proposal 1

Update GitLab report ingestion to add the spdx sbom format. The main piece of work that will need to be completed would be to add a parser for spdx reports. See lib/gitlab/ci/parsers.rb and lib/gitlab/ci/parsers/sbom/cyclonedx.rb.

Note: some other pieces (like supporting the artifact type) would be required and could be found by searching for cyclonedx in the code base.

Pros:

• code lives in rails monolith - update cadence and features under our control
• extensible

Cons:

• expensive
• longer to complete

Proposal 2

Use a converter (e.g. https://github.com/CycloneDX/cyclonedx-cli) to convert spdx reports into cyclonedx that is parseable by the rails monolith. However, it remains to be verified whether a conversion is possible without data loss (for the purposes of dependency and container scanning).

Pros:

• fast to implement
• can be done even now by users

Cons:

• not using an extensible implementation
• changes/updates require 3rd party library approval

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Amy (Application Security Engineer)
• Cameron (Compliance Manager)

Implementation plan

The plan can be divided into 2 discrete portions: spdx sbom generation and spdx sbom parsing.

1. Spdx sbom generation
   • Dependency Scanning analyzer.
     • Update sbomgen to take an optional argument which specifies format (e.g. SBOM_FORMAT) and utilizes the above functionality when the argument is spdx.
       • Document argument in the Dependency Scanning docs.
     • Implement an spdx generator using sbom.go and convert.go as a guide.
     • Refactor sbom generation functionality to create an sbom, cyclonedx, and spdx packages.
     • Note: An sbom for a monolithic codebase for multiple projects is currently represented by several concatenated sboms.
   • Container Scanning analyzer.
     • Update environment to take an optional argument which specifies format (as agove).
       • Document argument in the Container Scanning docs.
     • Update trivy wrapper to use argument --format spdx when above is set.
     • Update sbom_converter to be able to output spdx and do so when above argument is set.
2. Spdx sbom parsing
   • Add spdx parser to GitLab rails monolith
     • Support new spdx artifact.
       • Update artifact list with spdx as an sbom format.
       • Add spdx report type to JobArtifact model.
   • Add spdx parsing.
     • Add parser similar to cyclonedx.
     • Add class (similar to cyclonedx_properties) and corresponding taxonomy (similar to cyclonedx property taxonomy) to support gitlab properties.
     • Add spdx report validation (see cyclonedx validator)
     • Update parser list to use parser added above.
     • Update report generation.
       • Update sbom report to output correct BOM_FORMAT.
       • Add spdx to config/entry/reports.
   • spdx export
     • Update json serializer to export spdx.
   • Update job templates.
     • Update Dependency Scanning template to add spdx (see cyclonedx).
     • Update Container Scanning template to add spdx (see cyclonedx).

Auto-Summary 🤖

Discoto Usage

---

Points

Discussion points are declared by headings, list items, and single lines that start with the text (case-insensitive) point:. For example, the following are all valid points:

• #### POINT: This is a point
• * point: This is a point
• + Point: This is a point
• - pOINT: This is a point
• point: This is a **point**

Note that any markdown used in the point text will also be propagated into the topic summaries.

Topics

Topics can be stand-alone and contained within an issuable (epic, issue, MR), or can be inline.

Inline topics are defined by creating a new thread (discussion) where the first line of the first comment is a heading that starts with (case-insensitive) topic:. For example, the following are all valid topics:

• # Topic: Inline discussion topic 1
• ## TOPIC: **{+A Green, bolded topic+}**
• ### tOpIc: Another topic

Quick Actions

Action	Description
/discuss sub-topic TITLE	Create an issue for a sub-topic. Does not work in epics
/discuss link ISSUABLE-LINK	Link an issuable as a child of this discussion

---

Last updated by this job

• TOPIC Cyclonedx taxonomy #424824 (comment 1637807511)
• TOPIC Version of spdx protocol #424824 (comment 1637807563)

Discoto Settings

---
summary:
  max_items: -1
  sort_by: created
  sort_direction: ascending

See the settings schema for details.