feat: Decompose sbom_source_packages from sbom_occurrences (!158143) · Merge requests · GitLab.org / GitLab

Lucas Charles requested to merge decompose-sbom_source_packages into master Jul 02, 2024

What does this MR do and why?

Transition sbom_source_packages to loose foreig... (#469539 - closed)

Moves sbom_source_packages table to gitlab_sec DB
Updates sbom_occurrences.source_package_id fkey to allowlist cross database joins

Allowing cross DB joins is a temporary measure until we can migrate the sbom_occurrences table to the gitlab_sec DB as well, see parent epic for full scope of effort

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

This is somewhat involved but can be tested as described:

gitlab_sec DB can be enabled in GDK as either an independent database or the default behavior, falling back to using the main DB
1. gdk config set gitlab.rails.databases.sec.enabled true
2. gdk reconfigure
3. rake db:create db:migrate

Ingest an SBOM report. Easiest way is using a fixture by setting the file as a CI job cyclonedx report artifact to be uploaded directly:

  gemnasium-dependency_scanning:
    stage: test
    script: 'pwd'
    artifacts:
      reports:
        cyclonedx: "**/gl-sbom-*.cdx.json"

Ensure pipeline has completed successfully and sidekiq jobs have completed
Check Project dependency list for results

Edited Jul 05, 2024 by Lucas Charles

feat: Decompose sbom_source_packages from sbom_occurrences

What does this MR do and why?

MR acceptance checklist

How to set up and validate locally

Merge request reports