Add namespace to sbom components
What does this MR do and why?
Ingested sbom components do not currently include the namespace of a dependency (e.g. org.apache.tomcat
in org.apache.tomcat/tomcat-catalina
). This creates issues matching package metadata licenses and affected packages.
This MR does the following:
- Adds
purl_qualified_name
toGitlab::Ci::Reports::Sbom::Component
which uses thepurl
object to getnamespaces
when they are provided. - Updates sbom report ingestion (via
Sbom::Ingestion::OccurrenceMap
) to use the above method as the name of the component.
There are 2 possible sources of name
: (1) from the string name
argument and (2) from the purl
object argument. We have to support both because according to the specification name
, type
, and version
are the only required attributes.
purl
object come normalized
The attributes coming from the - https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/sbom/package_url/decoder.rb#L123
- https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/sbom/package_url/decoder.rb#L133
Tradeoffs
An option here was to add a separate namespace
column to the sbom_components
table, but since the purl
is not a required field and namespace
is an attribute that doesn't exist for every package type, this would be overkill. Coupled with the fact that the tables involved are quite large, adding this extra column seemed overkill.
How to set up and validate locally
Running the specs should be sufficient.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #388780 (closed)