Skip to content

Store Container Scanning image and operating system in sbom_sources table

Proposal

When parsing Dependency Scanning SBOM files, we extract additional details from the metadata.properties section using the Gitlab::Ci::Parsers::Sbom::Source::DependencyScanning class.

For example, we extract the gitlab:dependency_scanning:input_file:path and gitlab:dependency_scanning:package_manager:name values from the following JSON:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:8d0184df-02ba-4e44-9fe0-981669bc13e4",
  "version": 1,
  "metadata": {
    "timestamp": "2023-08-10T15:10:20Z",
    "properties": [
      {
        "name": "gitlab:dependency_scanning:input_file:path",
        "value": "conan.lock"
      },
      {
        "name": "gitlab:dependency_scanning:package_manager:name",
        "value": "conan"
      },

And store it in the sbom_sources table:

 id  |          created_at           |          updated_at           | source_type |                                             source
-----+-------------------------------+-------------------------------+-------------+-------------------------------------------------------------------------------------------------
 292 | 2023-08-04 19:11:45.952074+00 | 2023-08-07 20:57:22.575588+00 |           0 | {"input_file": {"path": "conan.lock"}, "package_manager": {"name": "conan"}}

For Container Scanning SBOM files, we need to figure out how to store additional information as well, such as the image and operating_system that were used to generate the SBOM.

Implementation Plan

Note: Add taxonomy for Container Scanning namespace (#426355 - closed) and Output GitLab metadata properties in Container ... (#426356 - closed) must be completed before this issue.

  1. Add a new Gitlab::Ci::Parsers::Sbom::Source::ContainerScanning class, similar to Gitlab::Ci::Parsers::Sbom::Source::DependencyScanning.

    This class is responsible for storing the metadata.properties added by Output GitLab metadata properties in Container ... (#426356 - closed) to the sbom_sources table:

    • gitlab:container_scanning:image:name
    • gitlab:container_scanning:image:tag
    • gitlab:container_scanning:operating_system:name
    • gitlab:container_scanning:operating_system:version

  2. Update the sbom_source.json schema to accept the new gitlab:container_scanning properties added in step 1. above.

  3. Add unit tests to ensure the above details are stored in the sbom_sources table.

Edited by Adam Cohen