Output GitLab metadata properties in Container Scanning SBOM
Proposal
In order to complete Store Container Scanning image and operating sy... (#425995 - closed), we need to add support for the following SBOM metadata property fields added by Add taxonomy for Container Scanning namespace (#426355 - closed):
gitlab:container_scanning:image:name
gitlab:container_scanning:image:tag
gitlab:container_scanning:operating_system:name
gitlab:container_scanning:operating_system:version
Implementation Plan
-
Add new class Gcs::SbomConverter
, similar to Gcs::SbomConverter. This class must insert the following details into themetadata.properties
array of the CycloneDX SBOM produced by Container Scanning:{ "metadata": { "properties": [ { "name": "gitlab:meta:schema_version", "value": 1 }, { "name": "gitlab:container_scanning:image:name", "value": "registry.gitlab.com/gitlab-org/security-products/analyzers/gemnasium/tmp/main" }, { "name": "gitlab:container_scanning:image:tag", "value": "91d61f07e0a4b3dd34b39d77f47f6f9bf48cde0a" }, { "name": "gitlab:container_scanning:operating_system:name", "value": "alpine" }, { "name": "gitlab:container_scanning:operating_system:version", "value": "3.18.3" } ] } }
We also need to convert the
gitlab:container_scanning:operating_system:name
value we output to one that aligns with the bucket names used by trivy db:TRIVY_OS_TO_TRIVYDB_BUCKET_MAPPING = { "cbl-mariner" => "CBL-Mariner", "oracle" => "Oracle Linux", "photon" => "Photon OS", "redhat" => "Red Hat", "suse linux enterprise server" => "SUSE Linux Enterprise", "opensuse.leap" => "openSUSE Leap", "amazon" => "amazon linux" } def trivy_os_to_trivydb_bucket(trivy_os) TRIVY_OS_TO_TRIVYDB_BUCKET_MAPPING.fetch(trivy_os, trivy_os) end
If no mapping exists for a particular operating system name, such as
debian
, we pass through the name unchanged. -
Add unit tests and integration tests
Edited by Adam Cohen