Add classes for fetching SBOM components (!105994) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

This MR adds the following new classes:

Gitlab::LicenseScanning::PipelineComponents which takes a pipeline as input.
Gitlab::LicenseScanning::BranchComponents which takes a project and branch_ref as input.

These classes fetch and parse the SBOM artifact from the pipeline, and return an array of Hashie::Mash objects which contain the following fields:

name
version
purl_type

The classes introduced in this MR are required by the new license scanning implementation that is a part of &9400 (closed). This new approach relies on SBoM components instead of a license scanning report and will allow us to remove the need for a separate license scanning job. Specifically, the classes will be used to complete the implementation of ::Gitlab::LicenseScanning::SbomScanner which in turn will be used in place of ::Gitlab::LicenseScanning::ArtifactScanner once the FF associated with the epic is rolled out.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #384536 (closed)

Edited Dec 15, 2022 by Oscar Tovar

Add classes for fetching SBOM components

What does this MR do and why?

MR acceptance checklist

Merge request reports