Fix invalid gitlab:meta:schema_version property
What does this MR do?
Output GitLab metadata properties in Container ... (!2927 - merged) added support for outputting gitlab metadata properties in the SBOM, however, we made a mistake and output the gitlab:meta:schema_version
value as an integer, when it should actually be a string. This causes Gitlab::Ci::Parsers::Sbom::Validators::CyclonedxSchemaValidator#valid? in the rails monolith to return false
, because the schema expects the value
field to be a string, which prevents the SBOM file from being ingested.
Testing
Before this change:
Container Scanning produces gl-sbom-report.cdx.json
which does not pass schema validation:
$ docker run -it --rm -v "$PWD:/src" -w /src -e CS_IMAGE=alpine:3.7 registry.gitlab.com/security-products/container-scanning:6
$ docker run -it --rm -v "$PWD:/my-cyclonedx-sboms" -w /my-cyclonedx-sboms cyclonedx/cyclonedx-cli:latest cyclonedx validate --input-version v1_4 --input-file gl-sbom-report.cdx.json
WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
Validating JSON BOM...
Validation failed: Value is "integer" but should be "string"
#/properties/metadata/$ref/properties/properties/items/$ref/properties/value/type
BOM is not valid.
After this change:
Container Scanning produces gl-sbom-report.cdx.json
which passes schema validation:
$ docker run -it --rm -v "$PWD:/src" -w /src -e CS_IMAGE=alpine:3.7 registry.gitlab.com/gitlab-org/security-products/analyzers/container-scanning/tmp/trivy:2c754f66883be6bae8aba694545da5d4d4dcd878
$ docker run -it --rm -v "$PWD:/my-cyclonedx-sboms" -w /my-cyclonedx-sboms cyclonedx/cyclonedx-cli:latest cyclonedx validate --input-version v1_4 --input-file gl-sbom-report.cdx.json
Validating JSON BOM...
BOM validated successfully.
What are the relevant issue numbers?
Container Scanning v6.2.0 produces invalid SBOM... (gitlab-org/gitlab#428382 - closed)
Does this MR meet the acceptance criteria?
-
Changelog trailer added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer