Remove the requirement for SBOM report to comply with the GitLab CycloneDX taxonomy
Release notes
The GitLab CycloneDX Taxnomony is no longer required for GitLab to process an SBOM report artifact. This allows users to leverage any 3rd party SBOM generators that do not provide this information.
Problem to solve
GitLab SBOM support requires the CycloneDX documents to comply with our custom taxonomy. This limits the opportunity for users to leverage any SBOM generator to provide the list of components used in their project.
This limits the adoption of several SCA capabilities.
Example project: https://gitlab.com/gitlab-org/secure/tests/olivier/bring-your-own-sbom
Proposal
Adjust all downstream processes that depends on the GitLab CycloneDX property taxonomy to no longer require that information.
WIP list:
| Feature | Works without GitLab Taxonomy |
|---|---|
| Dependency List | |
| License Scanning | |
| Continuous Vulnerability Scanning | |
| (WIP) Dependency Scanning of CycloneDX files | |
| (WIP) Container Scanning of CycloneDX files |
Intended users
Feature Usage Metrics
We might want to track the tool property of the CycloneDX metadata to distinguish which SBOM generator has been used (GitLab maintained vs 3rd party).