Investigate: Make it easy to view a packages SBOM

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

GitLab Summit Code Challenge

This issue is being proposed as part of the code challenge and we hope to deliver an MVC during Summit.

Context

In GitLab, you can use the dependency list to review your project or group’s dependencies and key details about those dependencies, including their known vulnerabilities. This list is a collection of dependencies in your project, including existing and new findings. This information is sometimes referred to as a Software Bill of Materials, SBOM, or BOM.

With the GitLab npm registry, you can use GitLab as a private or public registry for Node packages. You can publish and share packages, which can be consumed as a dependency in downstream projects.

Problem to solve

The problem is that when viewing a specific package + version you can't easily view the SBOM. For example, when I navigate to the package details page (see below) to view the SBOM, I have to download and extract the .tgz.

Screenshot_2024-03-08_at_3.16.16_PM

As a developer, when you are looking for the SBOM for a specific package, you are likely to look first at the package details. But when you arrive, you have to unpack the package files and then pull that info out of the package.json. This is inefficient.

As an application security engineer, it's frustrating when a package you are supposed to verify is missing key information. So, when you arrive at the package details page and don't see the SBOM, it means you have to navigate to the dependency list and find the information you are looking for.

User story

As a software developer, when navigating my project's package registry and I have found the package + version I'm looking for, I need to see the SBOM and validate that the package is correct and remediate any issues if it's not.

Examples

Notice that npmjs.com displays the SBOM associated with a given package

Screenshot_2024-03-08_at_3.29.08_PM

Proposal

Add the SBOM to the package details page for npm packages. This will make GitLab users more efficient and make the package details page more useful by providing this important data.

Also, the npm dependency proxy will increase the demand for this feature as we will see a sharp increase in the number of packages downloaded from upstream repositories. Providing the SBOM on the details page will make quickly finding this important info easier.

Expected outcome

  • Improved usability of the package registry UI
  • Increased adoption of the npm registry
    • Page views of the package details page (+8%)
    • npm monthly active users (+4%)

Beyond the MVC

  • Identify known vulnerabilities associated with any of the dependencies listed in the SBOM.
    • We should check with the Secure team. We may want to keep the vulnerability report as the SSOT here. But perhaps cross-linking would be helpful?
  • Use the dependency firewall (planned) to create policies set a package to pullable, only if:
    • The CI publication pipeline is green.
    • The SBOM is free of vulnerabilities (above a certain threshold).
Edited by 🤖 GitLab Bot 🤖