Export dependency list in SPDX format

Release notes

Since the US Federal Government issued the software bill of materials (SBOM) requirement, companies have been required to produce their SBOM to help further increase the security of the software supply chain. The SPDX format has become the adopted SBOM standard. In this release, you will be able to export an SBOM directly from the Dependency List.

Problem to solve

When a user clicks the Export button on the Dependency List, they download a JSON file in GitLab's custom format. Ideally users would be downloading an industry standard like SPDX.

Note: We will need to add a dropdown that let's users choose either the old custom GitLab format or the SPDX format. The old custom GitLab format can be deprecated and removed in 17.0.

Intended users

• Sam (Security Analyst)
• Alex (Security Operations Engineer)

Proposal

A user can export their dependency list at the project and/or group and download their dependency list in cycloneDX format.

• API access to download the file.
• A user will have two options when they click on the Export button: 1. JSON, 2. CycloneDX, 3. SPDX.

Further details

There are two industry standard formats for dependency reporting; CycloneDX and SPDX. We will start with Dependency list exports in CycloneDX SBoM forma... (#407453 - closed) • Unassigned • Backlog because it is a superset of data that is in SPDX.

Permissions and Security

Documentation

https://docs.gitlab.com/ee/user/application_security/dependency_list/#downloading-the-dependency-list

Availability & Testing

Available Tier

GitLab Ultimate

Feature Usage Metrics

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

No

What is the competitive advantage or differentiation for this feature?

This allows customers to leverage the output of our dependency list in a format that is widely accepted by the industry.

Links / references

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.