Store dependency scanning SBoMs as reports (!99126) · Merge requests · GitLab.org / GitLab

Brian Williams requested to merge bwill/use-reports-keyword-for-sboms into master Sep 28, 2022

What does this MR do and why?

Describe in detail what your merge request does and why.

In order for GitLab to ingest SBoM reports, the report artifacts need to be saved using the CycloneDX report keyword. This MR changes the dependency scanning template to store the SBoMs as reports so that they can be ingested by the Rails backend.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

This change can be tested on gitlab.com

Go to https://gitlab.com/projects/new#create_from_template
Select NodeJS Express
Choose a project name and namespace

Create a .gitlab-ci.yml file with this content:

include:
  - remote: https://gitlab.com/gitlab-org/gitlab/-/raw/<LATEST_COMMIT_FROM_THIS_BRANCH>/lib/gitlab/ci/templates/Jobs/Dependency-Scanning.gitlab-ci.yml

Example pipeline: https://gitlab.com/bwill/node/-/pipelines/654154909

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Sep 29, 2022 by Brian Williams

Store dependency scanning SBoMs as reports

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports