Spike: Replace Gemnasium with open source native CDX SBOM generators

Topic to Evaluate

Evaluate if we could possibly replace the Gemnasium analyzer maintained by groupcomposition analysis with open source CycloneDX SBOM generators.

The CycloneDX (CDX) SBOM generators would be native ones, meaning that they are implemented using the programming language and package manager they support. For instance, a CDX generator for sbt would be implemented in Scala, and its dependencies managed using sbt itself.

This approach has been discussed in the following threads:

• &8206 (comment 1502675693)
• &8206 (comment 1374844966)

The scope is limited to SBOM components of the library type (application-level dependencies). These SBOM components are used for Dependency Scanning. Container Scanning and system-level dependencies are out of scope.

Timebox

3 days

Tasks prior to evaluation

• Clearly document the topic to evaluated in this issue description
• Determine specific scope including time-bounds for investigation: 3 days

Tasks to Evaluate

Topics to research/evaluate:

• feasibility
• opportunities
• limitations
• risks
• maintenance
• skillset
• compatible software licenses
• migration path

Outcome:

• Make a proposal that can be turned into an epic, if accepted.

Team

• Add workflowplanning breakdown typefeature and the corresponding ~devops::<stage> and ~group::<group> labels.
• Ping the PM and EM.

/cc @thiagocsf @johncrowley @gonzoyumo