Container Scanning v6.2.0 produces invalid SBOMs that cannot be ingested by the rails monolith
Summary
Output GitLab metadata properties in Container ... (#426356 - closed) added support for outputting gitlab metadata properties in the SBOM, however, we made a mistake and the gitlab:meta:schema_version
value is an integer, when it should actually be a string. This causes Gitlab::Ci::Parsers::Sbom::Validators::CyclonedxSchemaValidator#valid? in the rails monolith to return false
, because the schema expects the value
field to be a string, which prevents the SBOM file from being ingested.
Steps to reproduce
Container Scanning produces gl-sbom-report.cdx.json
which does not pass schema validation:
$ docker run -it --rm -v "$PWD:/src" -w /src -e CS_IMAGE=alpine:3.7 registry.gitlab.com/security-products/container-scanning:6
$ docker run -it --rm -v "$PWD:/my-cyclonedx-sboms" -w /my-cyclonedx-sboms cyclonedx/cyclonedx-cli:latest cyclonedx validate --input-version v1_4 --input-file gl-sbom-report.cdx.json
WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
Validating JSON BOM...
Validation failed: Value is "integer" but should be "string"
#/properties/metadata/$ref/properties/properties/items/$ref/properties/value/type
BOM is not valid.
What is the current bug behavior?
Container Scanning produces gl-sbom-report.cdx.json
which does not pass schema validation:
What is the expected correct behavior?
Container Scanning produces gl-sbom-report.cdx.json
which passes schema validation:
Possible fixes
-
Change SCHEMA_VERSION to string: diff --git a/lib/gcs/sbom_converter.rb b/lib/gcs/sbom_converter.rb index 0418174..4d0948c 100644 --- a/lib/gcs/sbom_converter.rb +++ b/lib/gcs/sbom_converter.rb @@ -2,7 +2,7 @@ module Gcs class SbomConverter - SCHEMA_VERSION = 1 + SCHEMA_VERSION = "1" PROPERTY_NAME_SCHEMA_VERSION = 'gitlab:meta:schema_version' PROPERTY_NAME_IMAGE_NAME = 'gitlab:container_scanning:image:name'
-
Update unit and integration tests.