Skip to content

Fix invalid gitlab:meta:schema_version property

Adam Cohen requested to merge 426356-fix-invalid-gitlab-meta-schema_version-property into master

What does this MR do?

Output GitLab metadata properties in Container ... (!2927 - merged) added support for outputting gitlab metadata properties in the SBOM, however, we made a mistake and output the gitlab:meta:schema_version value as an integer, when it should actually be a string. This causes Gitlab::Ci::Parsers::Sbom::Validators::CyclonedxSchemaValidator#valid? in the rails monolith to return false, because the schema expects the value field to be a string, which prevents the SBOM file from being ingested.

Testing

Before this change:

Container Scanning produces gl-sbom-report.cdx.json which does not pass schema validation:

$ docker run -it --rm -v "$PWD:/src" -w /src -e CS_IMAGE=alpine:3.7 registry.gitlab.com/security-products/container-scanning:6

$ docker run -it --rm -v "$PWD:/my-cyclonedx-sboms" -w /my-cyclonedx-sboms cyclonedx/cyclonedx-cli:latest cyclonedx validate --input-version v1_4 --input-file gl-sbom-report.cdx.json
WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
Validating JSON BOM...
Validation failed: Value is "integer" but should be "string"
#/properties/metadata/$ref/properties/properties/items/$ref/properties/value/type
BOM is not valid.

After this change:

Container Scanning produces gl-sbom-report.cdx.json which passes schema validation:

$ docker run -it --rm -v "$PWD:/src" -w /src -e CS_IMAGE=alpine:3.7 registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning/tmp/trivy:2c754f66883be6bae8aba694545da5d4d4dcd878

$ docker run -it --rm -v "$PWD:/my-cyclonedx-sboms" -w /my-cyclonedx-sboms cyclonedx/cyclonedx-cli:latest cyclonedx validate --input-version v1_4 --input-file gl-sbom-report.cdx.json

Validating JSON BOM...
BOM validated successfully.

What are the relevant issue numbers?

Container Scanning v6.2.0 produces invalid SBOM... (gitlab-org/gitlab#428382 - closed)

Does this MR meet the acceptance criteria?

Edited by Adam Cohen

Merge request reports