Fix SBOM export when tools property has different structure
What does this MR do and why?
Fix SBOM export when tools property has different structure.
The Cylcone DX spec allows for two variants of the tools property, one being an array and the second a hash. The existing codebase always assumed the value is an array and the export logic is failing to generate a valid CycloneDX document, matching the version 1.4 of the spec.
This MR allows to process both forms and converts the value in the format that matches CycloneDX 1.4 spec.
refs #461240 (closed)
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| Before | After |
|---|---|
How to set up and validate locally
- checkout the master branch of gitlab in your gdk
- clone/copy https://gitlab.com/gitlab-org/secure/tests/olivier/sbom-error-merge-tools in your gdk
- ensure a pipeline is running
- start a rails console and execute the following:
pipeline = Ci::Pipeline.last merged_report = Sbom::MergeReportsService.new(pipeline.sbom_reports.reports).execute serializer_service = Sbom::ExportSerializers::JsonService.new(merged_report) serializer_service.execute serializer_service.valid? serializer_service.errors - the generated report should be invalid and errors should be:
["property '/metadata/tools/1' is not of type: object"] - checkout the
461240_fix_tools_merge_in_SBOM_exportbranch - repeat steps 2 and 3
- the generated report should now be valid and errors should be empty
Numbered steps to set up and validate the change are strongly suggested.