Skip to content

Add `purl_type` to sbom_components

Brian Williams requested to merge bwill/add-purl-type into master

What does this MR do and why?

Describe in detail what your merge request does and why.

Related to #375796 (closed)

Currently, we do not distinguish between what package index an SBoM component originated from. This means that we could have collisions between packages which have the same name but are managed by different package managers. For example, rubygems pg and Pypi pg are currently considered the same component. This MR adds the purl_type to the unique_by columns for sbom_components, allowing us to distinguish between these.

In order to get the purl_type, we parse the purl field from the report using the Package URL parser added in !102213 (merged).

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Ensure that you have an EE license

  2. Run migrations: bin/rails db:migrate RAILS_ENV=development

  3. Enable the feature flag using the rails console: Feature.enable(:cyclonedx_sbom_ingestion)

  4. Setup gitlab runner

  5. Create a new project

  6. Add the following .gitlab-ci.yml to the project:

    persist_sbom:
  image: alpine:latest
  script:
    - wget https://gitlab.com/-/snippets/2378046/raw/main/gl-sbom-with-colliding-components.cdx.json
  artifacts:
    reports:
      cyclonedx:
        - gl-sbom-with-colliding-components.cdx.json

  7. The pipeline should run and succeed. Note down the pipeline ID.

  8. Connect to postgres: gdk psql

  9. Run this query and verify that data is returned:

    select
  name, version, component_type, purl_type, source_id
from
  sbom_components
inner join sbom_component_versions
  on sbom_components.id = sbom_component_versions.component_id
inner join sbom_occurrences
  on sbom_component_versions.id = sbom_occurrences.component_version_id
where pipeline_id = YOUR_PIPELINE_ID;
Example data 
 name | version | component_type | purl_type | source_id 
------+---------+----------------+-----------+-----------
 pg   | v0.0.1  |              0 |         3 |           
 pg   | v0.0.1  |              0 |         8 |           

(2 rows)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Brian Williams

Merge request reports