Export release SBOM in CycloneDX format
STATUS: The GitLab SBOM generators now provide an Omnibus manifest converter to CycloneDX. Future plans are now tracked in https://gitlab.com/gitlab-org/sbom/generator/-/issues
Context
We're seeing more requests for the "SBOM of GitLab", especially in the CycloneDX format. Some of our users must run security checks on our components to ensure they don't have vulnerabilities, and CycloneDX is a supported feed format for many security scanners.
The current export https://gitlab-org.gitlab.io/omnibus-gitlab/gitlab-ee/14.10/14.10.2-ee.0.html also provide a json file with the list of the components used in GitLab.
Two other files (XML + JSON) should be provided following the CycloneDX format, which is a standard already supported in GitLab.
Specs
Here are the requirements we got from our recent experience with a customer requesting theses files:
- The SBOM must be provided in JSON and XML format
- The SBOM should include cyclone DX 1.3 versions (not sure we should prioritize this one, it's probably because we had issues in our files in the first place)
- The SBOM must use package https://github.com/package-url/purl-specs (purls) to reference components (
bom-ref
) - Like expressed in the CycloneDX spec, all components must be unique (our attempt at creating an SBOM via scripts had duplicates)
- The SBOM doesn't have to include license text in the SBOM (it makes the files huge and hard to work with if not ingested in a tool).
- Instead, the SBOM should include URLs to the license file (and use the right reference for that)
- The SBOM could include vulnerabilities (VEX), (i.e. what is patched or mitigated already) so that they are not reported back to us anymore.
- The SBOM should be for GitLab (/omnibus) for this first iteration, but we'll have to provide composable SBOMs based on the features the customer will use (ex: GitLab-Runner, GitLab Kubernetes Agent, etc.).
Implementation plan
(taken from https://docs.google.com/presentation/d/1iYwlQ72Hiv1y5IX6iW5f8gw_wcVSjdUb_LIDWcy6s_M/edit#slide=id.g249c9ac9148_0_20 - internal only)