Add support for ingesting CycloneDX v1.5
Why are we doing this work
CycloneDX specification Version 1.5 has been available since 2022-06-23.
We'd like to be able to use it in our SBOMs.
Relevant links
Original defect report: #431406 (closed)
Proposal
Cyclonedx sbom ingestion needs to be updated to support specVersion 1.5
in addition to 1.4
.
Implementation plan
- Add cyclonedx 1.5 schema
- Create
app/validators/json_schemas/cyclonedx/
- Move existing json schema under
app/validators/json_schemas/cyclonedx/bom-1.4.schema.json
- This should be a copy of the one on github
- Add cyclonedx spec version 1.5 under app/validators/json_schemas/cyclonedx/.
- Create
- Update the parser to remove the
supported_spec_version?
check - Update CyclonedxSchemaValidator to choose the correct schema added above in
app/validators/json_schemas/cyclonedx/
by usingreport_data['specVersion']
- Return an error like
CyclonedxSpecVersionUnsupported
if it doesn't match1.4
or1.5
. - If version does exist choose the correct json schema for validation https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/parsers/sbom/validators/cyclonedx_schema_validator.rb#L26
- Return an error like
Edited by Igor Frenkel