Add CycloneDX report parser

What does this MR do and why?

Background

• Issue: #366194 (closed)
• Epic: &8024 (closed)

This MR is one of four parts for implementing a CI report parser for CycloneDX Software Bill of Materials (SBoM) documents.

1. Add data structures for SBoM report parsing (!92813 - merged)
2. Add CycloneDX report parser (!92821 - merged) 👈 You are here.
3. Add CycloneDX report validation (!92823 - merged)
4. Add parser for CycloneDX properties (!93219 - merged)

These reports will be be outputted by CI jobs and stored as job artifacts (!91510 (merged)). The reports will be parsed (implemented in this MR), and then passed to a report ingestion service which will store the report objects in the database. The resulting data can be used as a software inventory, and will eventually be used to determine if a given project or dependency is affected by a known vulnerability.

This MR

Adds the parser which processes the JSON data and outputs it via the report data structures added in Add data structures for SBoM report parsing (!92813 - merged).

Data Dictionary

• Component: A software dependency, corresponding to the components field on the CycloneDX report.
• Source: GitLab-specific information about how the component was introduced to the project (ex: via Gemfile.lock or a container image)

FAQ

• Does this need a changelog entry / feature flag?
  • No. This code will remain unreachable until the SBoM ingestion service is implemented. The entrypoint for that service will be behind a feature flag. The changelog entry will be added when the feature flag is enabled and removed.
• Where can I find examples of what this report data looks like?
  • gl-sbom-go-go.cdx.json
  • gl-sbom-npm-npm.cdx.json
  • gl-sbom-gem-bundler.cdx.json (multi-project)
• Where can I read more about the about the CycloneDX specification?
  • Refer to the specification documentation and other resources on cyclonedx.org.
• Where can I read more about how this data will be handled downstream?
  • SBoM ingestion service
  • database design spike

How to set up and validate locally

Start the rails console:

bundle exec rails c

Run this Ruby code:

json_data = URI.open('https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium/-/raw/add14250d79425e40d2d7724de34a3906d826fda/qa/expect/js-npm/default/cyclonedx-npm-npm.json').read
report = Gitlab::Ci::Reports::Sbom::Report.new
Gitlab::Ci::Parsers::Sbom::Cyclonedx.new(json_data, report).parse!

pp report.components

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.