Remove the single source per CycloneDX report restriction
Summary
The IngestSources
task ingests a single SBOM source per report. This is efficient when consuming gemnasium generated CycloneDX reports, but it prevents us from ingesting CycloneDX properties at the component level.
Improvements
- Ingest Trivy SBOM component properties
- You can
deep_merge
properties before ingestion. For example, you coulddeep_merge
(notdeep_merge!
) the component level properties into the report level properties, and store the complete set later. - Restore parity between the
input_file_path
andpackage_manager
fields, and the data stored in their respectivesbom_sources
entries.
Risks
- Increased space usage increases our risk of running into the Postgres max table size limit.
Involved components
Sbom::Ingestion::Tasks::IngestSources
Optional: Intended side effects
- Parity between the data stored in
Sbom::Source
andSbom::Occurrence
.
Optional: Missing test coverage
- Add a context that tests for the correct behavior when ingesting component level Trivy properties.