Draft: Ingest source_package_name to Sbom::ComponentVersion (!138966) · Merge requests · GitLab.org / GitLab

Tetiana Chupryna requested to merge 427095-add-source-package-name-to-sbom-components-version into master Dec 06, 2023

What does this MR do and why?

Ingest source_package_name to component_version. We need this to properly match container scanning finding of Trivy scanner.

This code is cherry-picked from previous iteration of this solution !136241 (closed)

How to set up and validate locally

Using GDK

Create a project with next content:

.gitlab-ci.yml

variables:
  CS_IMAGE: 'golang:1.20-alpine'

include:
  - template: Jobs/Container-Scanning.gitlab-ci.yml

Run a pipeline and make sure that container_scanning:cyclonedx report is created

Sbom::ComponentVersion.where(component_id: Sbom::Component.where(purl_type: 'apk').pluck(:id)).all

Ensure that the source_package_name column has data. Check if the field source_package_name is equal alpine-baselayout for a component with name alpine/alpine-baselayout-data.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #427095 (closed)

Edited Dec 12, 2023 by Tetiana Chupryna

Draft: Ingest source_package_name to Sbom::ComponentVersion

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports