Skip to content

Add props field to SBOM component CI parser class

Why are we doing this work

This issue covers the work needed to parse the SBOM report in JSON format, and include the components' Trivy properties should they exist.

Relevant links

Non-functional requirements

  • Documentation:
  • Feature flag:
  • Performance:
  • Testing: Add unit tests/specs to verify that the CI parsing occurs as expected.

Implementation plan

  • Update the Gitlab::Ci::Parsers::Sbom::CyclonedxProperties class.

    • Add the Trivy CycloneDX properties to the supported properties const.

    • Add a Gitlab::Ci::Parsers::Sbom::Source::Trivy class that inherits from the Sbom::Source::BaseSource class. It should implement the type method so that it returns :trivy.

    • Add a TRIVY_PREFIX = 'aquasecurity:trivy:' const and allow it as a valid prefix. This will also need to be clipped if it exists. Alternatively, this can be refactored so that the class can validate a SUPPORTED_PREFIXES list instead.

      return unless SUPPORTED_PREFIXES.any? { |prefix| name.start_with?(prefix) }
namespaced_name = SUPPORTED_PREFIXES.find { |prefix| name.starts_with(prefix) }.then { |prefix| name.delete_prefix(prefix) }

  • Add specs to test that the Trivy properties are properly parsed into a namespaced hash.

    Input

    { "aquasecurity:trivy:FilePath": "/usr/local/lib/node_modules/pkgA/package.json }

    Expect

    { "trivy": { "FilePath": "/usr/local/lib/node_modules/pkgA/package.json" } }

  • Update the Gitlab::Ci::Parsers:Sbom::Component class

    • Add a props attribute and an attribute reader. Initialize the class with this attribute as a props arg.

  • Update the Gitlab::Ci::Parsers:Sbom::Cyclonedx class

    • Update the #parse_components method so that it parses the properties with the CyclonedxProperties.parse_source method.

Verification steps

This won't be user visible, so we'll rely on the rspec test suites to verify that the tests work as expected. To manually test, do the following:

  1. Checkout the corresponding branch
  2. Parse an SBOM component JSON string that contains the Trivy properties
  3. Inspect the parsed component object's props attribute and verify that it contains the allowed Trivy properties.
Edited by Aditya Tiwari