Remove the single source per CycloneDX report restriction

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Summary

The IngestSources task ingests a single SBOM source per report. This is efficient when consuming gemnasium generated CycloneDX reports, but it prevents us from ingesting CycloneDX properties at the component level.

Improvements

• Ingest Trivy SBOM component properties
• You can deep_merge properties before ingestion. For example, you could deep_merge (not deep_merge!) the component level properties into the report level properties, and store the complete set later.
• Restore parity between the input_file_path and package_manager fields, and the data stored in their respective sbom_sources entries.

Risks

• Increased space usage increases our risk of running into the Postgres max table size limit.

Involved components

• Sbom::Ingestion::Tasks::IngestSources

Optional: Intended side effects

• Parity between the data stored in Sbom::Source and Sbom::Occurrence.

Optional: Missing test coverage

• Add a context that tests for the correct behavior when ingesting component level Trivy properties.