Conditionally remove cyclonedx specVersion 1.4 override
Why are we doing this work
In Container Scanning CycloneDX reports are not in... (#431406 - closed) a specVersion override was added to the container scanning analyzer in order to output a version of the cyclonedx sbom which could be supported by the rails monolith (only 1.4
at the time).
This limitation should be removed.
Relevant links
Issue for adding specVersion 1.5
support in the monolith: Add support for ingesting CycloneDX v1.5 (#431435 - closed)
Proposal
We need to remove the override conditionally because the fix in the rails monolith Add support for ingesting CycloneDX v1.5 (#431435 - closed) can only target versions 16.7+
, for previous versions (16.4
, 16.5
, 16.6
) this support wasn't available and the analyzer should continue to emit sboms with the override until official deprecation in 17.0
A new environment variable is needed in order to control whether the cyclonedx specVersion is overridden or not.
Implementation plan
Update Container Scanning analyzer to parse CS_CYCLONEDX_SCHEMA_VERSION
and remove the override workaround added in Container Scanning CycloneDX reports are not in... (#431406 - closed) when the variable is set to 1.5
.
-
Update environment.rb to add a #override_trivy_sbom_cyclonedx_spec_version
: returns1.4
if the above environment variable is not set or its value when it is set. -
Update sbom converter to only fix_report_version!
if the value is1.4
.
Verification steps
With all of the above the following can be verified:
- Create MR with container scanning job.
- When job completes, the generated sbom should be
specVersion
1.5
. - When navigating to group dependencies, the dependency list should be shown. Unlike in originally reported defect: Container Scanning CycloneDX reports are not in... (#431406 - closed)