Set SBOM occurrence source to registry_event
What does this MR do and why?
Set SBOM occurrence source to container_scanning_for_registry
During SBOM ingestion, create SBOM components with the occurrence.source
(sbom_source table) type container_scanning_for_registry
.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Testing
- Tested new report schema with version of gitlab that does not have support for new schema here https://gitlab.com/atiwari71/cs-for-registry-witn-new-prop/-/dependencies and it does not break anything.
How to set up and validate locally
- Create a project with the sbom file gl-sbom-report.cdx__4_.json
- Run the pipeline with the following .gitlab-ci.yml file:
stages:
- build
manual-sbom-upload:
stage: build
script:
- echo "hello, world!"
artifacts:
paths:
- "**/gl-sbom-*.cdx.json"
reports:
cyclonedx: "**/gl-sbom-*.cdx.json"
- Go to rails console and checkout Sbom::Occurrence.last.source, it should look like the following:
#<Sbom::Source:0x0000000158a9de28
id: 13171,
created_at: Wed, 01 May 2024 07:33:08.126146000 UTC +00:00,
updated_at: Wed, 01 May 2024 07:33:08.466140000 UTC +00:00,
source_type: "container_scanning_for_registry",
source:
{"image"=>{"tag"=>"latest", "name"=>"registry.gitlab.com/atiwari71/container-scanning-test"},
"operating_system"=>{"name"=>"alpine", "version"=>"3.7.3"}}>
Numbered steps to set up and validate the change are strongly suggested.
Related to #443634 (closed)
Edited by Aditya Tiwari