## Why are we doing this work https://gitlab.com/gitlab-org/gitlab/-/issues/350509+ added support for outputting `cyclonedx-<package-type>-<package-manager>.json`. These `cyclonedx-<package-type>-<package-manager>.json` files are output automatically when including the `Dependency-Scanning.gitlab-ci.yml` template, as implemented in https://gitlab.com/gitlab-org/gitlab/-/merge_requests/80693+. The purpose of this issue is to create a new [Artifact report](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html) for these CycloneDX SBOM files, using a structure similar to [artifacts:reports:coverage_report](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscoverage_report), for example: ```yaml artifacts: reports: sbom: format: cyclonedx paths: - gl-sbom-*.cdx.json ``` ## Relevant link This is part of a wider epic to add SBOM ingestion: gitlab-org&8024 ## Non-functional requirements - [ ] Documentation: tbd - [ ] Feature flag: tbd - [ ] Performance: tbd - [ ] Testing: tbd ## Proposal Add an `sbom` report type so that sbom artifacts can be saved to the database and [processed by a background worker](https://gitlab.com/gitlab-org/gitlab/-/issues/365661). ### Implementation Plan - [x] (weight: 3) ~backend Update the following components to add an `sbom` report type - [x] [Ci::JobArtifact](https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/models/ci/job_artifact.rb) - [x] [EE::Ci::JobArtifact](https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/models/ee/ci/job_artifact.rb) - [x] [EE::Ci::Build](https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/models/ee/ci/build.rb) - [x] [Gitlab::Ci::Config::Entry::Reports](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/config/entry/reports.rb) - [x] (weight: 3) update CI reports to add an `sbom:format` keyword (using [coverage_report:coverage_format MR](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/81378) as a guide) - [x] (weight: 3) ~backend add `Gitlab::Ci::Config::Entry::Reports::Sbom` to https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/config/entry/reports specifying the `format` and `path` keys - [x] (weight: 2) ~documentation update report types documentation to add `sbom` https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html - [x] (weight: 2) ~backend update [json schema](https://docs.gitlab.com/ee/development/cicd/schema.html#json-schemas) to include validation for the new report type