Add export SBOM API (!128974) · Merge requests · GitLab.org / GitLab

Aditya Tiwari requested to merge 333463-export-sbom-api into master Aug 10, 2023

What does this MR do and why?

Adds POST /pipelines/:id/dependency_list_exports

This endpoint will generate a dependency_list_exports with a sbom json file.

How to set up and validate locally


curl 'http://gitlab.localdev:3000/api/v4/pipelines/703/dependency_list_exports' \
  -X 'POST' \
  --header "PRIVATE-TOKEN: PT" \
  --data "export_type=sbom"

response

{"id":4,"has_finished":false,"self":"http://gitlab.localdev:3000/api/v4/dependency_list_exports/4","download":"http://gitlab.localdev:3000/api/v4/dependency_list_exports/4/download"}

curl http://gitlab.localdev:3000/api/v4/dependency_list_exports/4 \
  --header "PRIVATE-TOKEN: PT"

response

{"id":4,"has_finished":true,"self":"http://gitlab.localdev:3000/api/v4/dependency_list_exports/4","download":"http://gitlab.localdev:3000/api/v4/dependency_list_exports/4/download"}


curl http://gitlab.localdev:3000/api/v4/dependency_list_exports/4/download \
  --header "PRIVATE-TOKEN: PT"

response

{"bomFormat":"CycloneDX","specVersion":"1.4","serialNumber":"urn:uuid:0044353d-2a3a-4ecc-aa07-14bacd908b37","version":1,"metadata":{"authors":[{"name":"GitLab","email":"support@gitlab.com"}],"properties":[{"name":"gitlab:dependency_scanning:input_file","value":"build.gradle"},{"name":"gitlab:dependency_scanning:input_file:path","value":"build.gradle"},{"name":"gitlab:dependency_scanning:package_manager","value":"gradle"},{"name":"gitlab:dependency_scanning:package_manager:name","value":"gradle"},{"name":"gitlab:meta:schema_version","value":"1"}],"tools":[{"vendor":"GitLab","name":"Gemnasium","version":"4.2.0"}]},"components":[{"name":"antlr/antlr","version":"2.7.7","purl":"pkg:maven/antlr/antlr@2.7.7","type":"library","licenses":[{"license":{"id":"BSD-3-Clause","url":"https://spdx.org/licenses/BSD-3-Clause.html"}},{"license":{"name":"unknown"}},{"license":{"name":"unknown"}}]},{"name":"com.fasterxml.jackson.core/jackson-annotations","version":"2.9.0","purl":"pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.9.0","type":"library","licenses":[{"license":{"id":"Apache-2.0","url":"https://spdx.org/licenses/Apache-2.0.html"}},{"license":{"id":"Apache-2.0","url":"https://spdx.org/licenses/Apache-2.0.html"}},{"license":{"id":"LGPL-2.1-only","url":"https://spdx.org/licenses/LGPL-2.1-only.html"}},{"license":{"id":"Apache-2.0","url":"https://spdx.org/licenses/Apache-2.0.html"}},{"license":{"id":"LGPL-2.1-only","url":"https://spdx.org/licenses/LGPL-2.1-only.html"}}]},{"name":"com.fasterxml.jackson.core/jackson-core","version":"2.9.2","purl":"pkg:maven/com.fasterxml.jackson.core/jackson-core@2.9.2","type":"library","licenses":[{"license":{"id":"Apache-2.0","url":"https://spdx.org/licenses/Apache-2.0.html"}},{"license":{"id":"Apache-2.0","url":"https://spdx.org/licenses/Apache-2.0.html"}},{"license":{"id":"LGPL-2.1-only","url":"https://spdx.org/licenses/LGPL-2.1-only.html"}},{"license":{"id":"Apache-2.0","url":"https://spdx.org/licenses/Apache-2.0.html"}},{"license":{"id":"LGPL-2.1-only","url":"https://spdx.org/licenses/LGPL-2.1-only.html"}}]},{"name":"com.fasterxml.jackson.core/jackson-databind","version":"2.9.2","purl":"pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.2","type":"library","licenses":[{"license":{"name":"unknown"}}]},{"name":"com.github.stephenc.findbugs/findbugs-annotations","version":"1.3.9-1","purl":"pkg:maven/com.github.stephenc.findbugs/findbugs-annotations@1.3.9-1","type":"library","licenses":[{"license":{"id":"Apache-2.0","url":"https://spdx.org/licenses/Apache-2.0.html"}}]},{"name":"commons-beanutils/commons-beanutils","version":"1.8.3","purl":"pkg:maven/commons-beanutils/commons-beanutils@1.8.3","type":"library","licenses":[{"license":{"id":"Apache-2.0","url":"https://spdx.org/licenses/Apache-2.0.html"}}]},{"name":"commons-io/commons-io","version":"2.3","purl":"pkg:maven/commons-io/commons-io@2.3","type":"library","licenses":[{"license":{"id":"Apache-2.0","url":"https://spdx.org/licenses/Apache-2.0.html"}},{"license":{"name":"unknown"}},{"license":{"name":"unknown"}}]},{"name":"commons-lang/commons-lang","version":"2.5","purl":"pkg:maven/commons-lang/commons-lang@2.5","type":"library","licenses":[{"license":{"id":"Apache-2.0","url":"https://spdx.org/licenses/Apache-2.0.html"}}]},{"name":"io.netty/netty","version":"3.9.1.Final","purl":"pkg:maven/io.netty/netty@3.9.1.Final","type":"library","licenses":[{"license":{"id":"Apache-2.0","url":"https://spdx.org/licenses/Apache-2.0.html"}}]},{"name":"it.unimi.dsi/fastutil","version":"7.0.2","purl":"pkg:maven/it.unimi.dsi/fastutil@7.0.2","type":"library","licenses":[{"license":{"id":"Apache-2.0","url":"https://spdx.org/licenses/Apache-2.0.html"}},{"license":{"name":"unknown"}},{"license":{"name":"unknown"}}]},{"name":"javax.resource/javax.resource-api","version":"1.7","purl":"pkg:maven/javax.resource/javax.resource-api@1.7","type":"library","licenses":[{"license":{"id":"GPL-2.0-with-classpath-exception","url":"https://spdx.org/licenses/GPL-2.0-with-classpath-exception.html"}}]},{"name":"javax.transaction/javax.transaction-api","version":"1.2","purl":"pkg:maven/javax.transaction/javax.transaction-api@1.2","type":"library","licenses":[{"license":{"id":"GPL-2.0-with-classpath-exception","url":"https://spdx.org/licenses/GPL-2.0-with-classpath-exception.html"}}]},{"name":"junit/junit","version":"4.12","purl":"pkg:maven/junit/junit@4.12","type":"library","licenses":[{"license":{"id":"EPL-1.0","url":"https://spdx.org/licenses/EPL-1.0.html"}}]},{"name":"net.java.dev.jna/jna","version":"4.0.0","purl":"pkg:maven/net.java.dev.jna/jna@4.0.0","type":"library","licenses":[{"license":{"name":"unknown"}}]},{"name":"net.sf.jopt-simple/jopt-simple","version":"5.0.1","purl":"pkg:maven/net.sf.jopt-simple/jopt-simple@5.0.1","type":"library","licenses":[{"license":{"id":"MIT","url":"https://spdx.org/licenses/MIT.html"}}]},{"name":"org.apache.commons/commons-lang3","version":"3.4","purl":"pkg:maven/org.apache.commons/commons-lang3@3.4","type":"library","licenses":[{"license":{"id":"Apache-2.0","url":"https://spdx.org/licenses/Apache-2.0.html"}}]},{"name":"org.apache.geode/geode-common","version":"1.1.1","purl":"pkg:maven/org.apache.geode/geode-common@1.1.1","type":"library","licenses":[{"license":{"id":"Apache-2.0","url":"https://spdx.org/licenses/Apache-2.0.html"}}]},{"name":"org.apache.geode/geode-core","version":"1.1.1","purl":"pkg:maven/org.apache.geode/geode-core@1.1.1","type":"library","licenses":[{"license":{"id":"Apache-2.0","url":"https://spdx.org/licenses/Apache-2.0.html"}}]},{"name":"org.apache.geode/geode-json","version":"1.1.1","purl":"pkg:maven/org.apache.geode/geode-json@1.1.1","type":"library","licenses":[{"license":{"id":"Apache-2.0","url":"https://spdx.org/licenses/Apache-2.0.html"}}]},{"name":"org.apache.logging.log4j/log4j-api","version":"2.6.1","purl":"pkg:maven/org.apache.logging.log4j/log4j-api@2.6.1","type":"library","licenses":[{"license":{"id":"Apache-2.0","url":"https://spdx.org/licenses/Apache-2.0.html"}}]},{"name":"org.apache.logging.log4j/log4j-core","version":"2.6.1","purl":"pkg:maven/org.apache.logging.log4j/log4j-core@2.6.1","type":"library","licenses":[{"license":{"id":"Apache-2.0","url":"https://spdx.org/licenses/Apache-2.0.html"}}]},{"name":"org.apache.maven/maven-artifact","version":"3.3.9","purl":"pkg:maven/org.apache.maven/maven-artifact@3.3.9","type":"library","licenses":[{"license":{"id":"Apache-2.0","url":"https://spdx.org/licenses/Apache-2.0.html"}},{"license":{"name":"unknown"}},{"license":{"name":"unknown"}}]},{"name":"org.apache.shiro/shiro-core","version":"1.3.1","purl":"pkg:maven/org.apache.shiro/shiro-core@1.3.1","type":"library","licenses":[{"license":{"id":"Apache-2.0","url":"https://spdx.org/licenses/Apache-2.0.html"}}]},{"name":"org.codehaus.plexus/plexus-utils","version":"3.0.22","purl":"pkg:maven/org.codehaus.plexus/plexus-utils@3.0.22","type":"library","licenses":[{"license":{"name":"unknown"}}]},{"name":"org.hamcrest/hamcrest-core","version":"1.3","purl":"pkg:maven/org.hamcrest/hamcrest-core@1.3","type":"library","licenses":[{"license":{"id":"BSD-2-Clause","url":"https://spdx.org/licenses/BSD-2-Clause.html"}},{"license":{"id":"BSD-3-Clause","url":"https://spdx.org/licenses/BSD-3-Clause.html"}}]},{"name":"org.jgroups/jgroups","version":"3.6.10.Final","purl":"pkg:maven/org.jgroups/jgroups@3.6.10.Final","type":"library","licenses":[{"license":{"name":"unknown"}}]},{"name":"org.mozilla/rhino","version":"1.7.10","purl":"pkg:maven/org.mozilla/rhino@1.7.10","type":"library","licenses":[{"license":{"id":"MPL-2.0","url":"https://spdx.org/licenses/MPL-2.0.html"}},{"license":{"name":"unknown"}},{"license":{"id":"GPL-2.0-only","url":"https://spdx.org/licenses/GPL-2.0-only.html"}},{"license":{"name":"unknown"}},{"license":{"id":"GPL-2.0-only","url":"https://spdx.org/licenses/GPL-2.0-only.html"}}]},{"name":"org.slf4j/slf4j-api","version":"1.6.4","purl":"pkg:maven/org.slf4j/slf4j-api@1.6.4","type":"library","licenses":[{"license":{"id":"OLDAP-2.1","url":"https://spdx.org/licenses/OLDAP-2.1.html"}},{"license":{"id":"OLDAP-2.2","url":"https://spdx.org/licenses/OLDAP-2.2.html"}}]}]}

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #333463 (closed)

Edited Sep 05, 2023 by Aditya Tiwari

Add export SBOM API

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports