Update package manager and input file path field ingestion
What does this MR do and why?
SBOM components found by Trivy have their source attributes at the
component level instead of the root level. This makes sense in the
context of container scanning because there are certain properties that
you cannot share when scanning a container image. For example, you
cannot declare a file path at the root level, because OS components can
live in various directories like /usr/local/lib/, /usr/bin/, and many
others. This MR sources the package_manager and the input_file_path
attributes from either the components' properties or the components'
source instead of strictly only checking the source.
Changelog: changed
EE: true
IMPORTANT: The properties field takes precedence over the source
field as the values here are deemed to be more specific.
The list of package types supported by Trivy is found in their cyclonedx package.
Closes #432146 (closed)
Closes #421041 (closed)
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
.gitlab-ci.yml
software_composition_analysis:
image: busybox:1
stage: test
script:
- echo 'Uploading CycloneDX SBOM reports'
- find . -iname 'gl-sbom-*.cdx.json' -print
artifacts:
paths:
- '**/gl-sbom-*.cdx.json'
reports:
cyclonedx: '**/gl-sbom-*.cdx.json'
Gemnasium + Trivy SBOM (testing edge cases)
gl-sbom-combined-report.cdx.json
Trivy SBOM for docker.io/library/alpine:3.12.0
Trivy SBOM for docker.io/library/node:alpine3.19
Ingested input file path and package manager name
gitlabhq_development=# select component_name, input_file_path, package_manager, project_id from sbom_occurrences;
component_name | input_file_path | package_manager | project_id
-------------------------------+-------------------------------+-----------------+------------
macaddress | package-lock.json | npm | 19
alpine/alpine-baselayout | container-image:alpine:3.12.0 | apk | 20
alpine/alpine-keys | container-image:alpine:3.12.0 | apk | 20
alpine/apk-tools | container-image:alpine:3.12.0 | apk | 20
alpine/busybox | container-image:alpine:3.12.0 | apk | 20
alpine/musl | container-image:alpine:3.12.0 | apk | 20
macaddress | package-lock.json | npm | 20
alpine/ca-certificates-bundle | container-image:alpine:3.12.0 | apk | 20
alpine/libc-utils | container-image:alpine:3.12.0 | apk | 20
alpine/libcrypto1.1 | container-image:alpine:3.12.0 | apk | 20
alpine/libssl1.1 | container-image:alpine:3.12.0 | apk | 20
alpine/libtls-standalone | container-image:alpine:3.12.0 | apk | 20
alpine/musl-utils | container-image:alpine:3.12.0 | apk | 20
alpine/scanelf | container-image:alpine:3.12.0 | apk | 20
alpine/ssl_client | container-image:alpine:3.12.0 | apk | 20
alpine/zlib | container-image:alpine:3.12.0 | apk | 20
(16 rows)How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
- Make sure you have the project level SBOM occurrences feature enabled, and enable if not.
Feature.enabled?(:project_level_sbom_occurrences) || Feature.enable(:project_level_sbom_occurrences) - Create a new group and a project with the included
.gitlab-ci.ymlfile. - Add the Trivy SBOM, combined SBOM, and wait for the occurrences to ingest.
- Load up the project's dependency list page and verify that the container scanning components have the Packager and Location fields populated correctly. Do the same at the group dependency list page.
- Verify that this works as expected for components with a file path by using the SBOM for
docker.io/library/node:alpine3.19
Related to #432146 (closed)