[CS For Registry] Set SBOM occurrence source to registry_event
Description
- During SBOM ingestion, create SBOM components with the
occurrence.source
(sbom_source table)registry_event
if SBOM reportmetadata.tools
hasregistry_event
. -
TODO: Check if storing this info in
occurrence.source
the table could have a performance impact at the time of filtering.- Done: There won't be any change in performance.
User Impact
No direct user impact as this is a backend implementation.
Non-functional requirements
-
Benchmarking: Assess the performance impact of using the newly introduced data for filtering. -
Testing: Add unit tests/specs.
Implementation plan
-
Add a new source type
ee/app/models/sbom/source.rb
container_scanning_for_registry -
Introduce new cyclonedx property
lib/gitlab/ci/parsers/sbom/cyclonedx_properties.rb
container_scanning_for_registry:image:name container_scanning_for_registry:image:tag container_scanning_for_registry::operating_system:name container_scanning_for_registry::operating_system:version
-
Use POC to for more details !151552 (diffs)
Verification steps
- Ingest a SBOM report with
metadata.tools
as registry event set as a part of [CS For Registry] Set SBOM occurrence source to... (#443634 - closed). This requirement is needed to be changed as source depends on properties and using metadata.tools is like patch. - Verify that db records are created as per the requirements.
Edited by Aditya Tiwari