Skip to content

Add data structures for SBoM report parsing

Brian Williams requested to merge bwill/sbom-report-parser/structures into master

What does this MR do and why?

Background

This MR is one of four parts for implementing a CI report parser for CycloneDX Software Bill of Materials (SBoM) documents.

  1. Add data structures for SBoM report parsing (!92813 - merged) 👈 You are here.
  2. Add CycloneDX report parser (!92821 - merged)
  3. Add CycloneDX report validation (!92823 - merged)
  4. Add parser for CycloneDX properties (!93219 - merged)

These reports will be be outputted by CI jobs and stored as job artifacts (!91510 (merged)). The reports will be parsed (implemented in this MR), and then passed to a report ingestion service which will store the report objects in the database. The resulting data can be used as a software inventory, and will eventually be used to determine if a given project or dependency is affected by a known vulnerability.

This MR

Adds the initial data structures which will be filled with data from the CycloneDX JSON documents.

Data Dictionary

  • Component: A software dependency, corresponding to the components field on the CycloneDX report.
  • Source: GitLab-specific information about how the component was introduced to the project (ex: via Gemfile.lock or a container image)

FAQ

How to set up and validate locally

N/A

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Brian Williams

Merge request reports