Skip to content

Draft: Add Sbom export API

Aditya Tiwari requested to merge cyclonedx-exporter into master

What does this MR do and why?

  1. Sbom Export API can be used to download a merged cyclonedx SBOM report generated in a pipeline.
  2. Merged report contains license information too.
  3. For simplicity of the first iteration, I am merging only metadata.tools and components of multiple sbom files generated in a pipeline. This behavior is consistent with cyclonedx-cli --merge command. On a need basis, we can add more merge features to it.
  4. Approach 1:
  • The idea is to trigger a sidekiq background job after a successful run of a pipeline.
  • This will generate an SbomExport object with a merged JSON file.
  • The file can be downloaded using the endpoint pipeline/:id/:sbom_exports/download. This endpoint will return the JSON file generated by the latest build. This MR has the demo for this approach.

  1. Approach 2: The sbom_exports API follows the same design as dependency_list_export API. It works in the following way:

    a. Using the api/v4/projects/:project_id/sbom_exports endpoint a user can generate a sbom_exports which will generate a merged sbom json file in the Sidekiq background job.

    b. Once the status of sbom_exports is finished, a user can download the generated merged json file using endpoint api/v4/sbom_exports/:export_id/download.

How to set up and validate locally

Approach 1 mentioned here

Checkout the commit eefc7763304ff51e3f1d1b773a085971a7b9c890

Run the pipeline with CI variable MERGE_SBOM: true. This can be configured in gitlab-ci.yml or can be passed directly to pipeline variables.

Run the following curl command to get the file:


curl http://gitlab.localdev:3000/api/v4/pipelines/698/sbom_exports/download \
  --header "PRIVATE-TOKEN: TOKEN"

Approach 2 mentioned here

Checkout the commit b0862dabbb25921cc5b3a82f881eeb498c2a7866

Run the following curl command to test the feature:

curl 'http://gitlab.localdev:3000/api/v4/projects/25/sbom_exports' \
  -X 'POST' \
  --header "PRIVATE-TOKEN: Token" \
  --data "pipeline_id=:id"

> {"id":7,"has_finished":false,"self":"http://gitlab.localdev:3000/api/v4/projects/7/sbom_exports","download":"http://gitlab.localdev:3000/api/v4/sbom_exports/7/download"}
curl http://gitlab.localdev:3000/api/v4/sbom_exports/7/download \
  --header "PRIVATE-TOKEN: TOKEN"

> JSON data

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Issue

#333463 (closed)

Edited by Aditya Tiwari

Merge request reports