Export SBOM manifest file
What does this MR do?
This MR adds support for outputting a sbom-manifest.json
file which contains references to the generated SBOM files, as well as additional metadata, for example:
{
"version": "0.0.1",
"timestamp": "2022-04-04T11:05:48Z",
"analyzer": {
"id": "gemnasium",
"version": "2.36.0"
},
"components": [
{
"project": {
"path": "go-project"
},
"package_type": "go",
"package_manager": "go",
"language": "Go",
"files": [
{
"type": "sbom",
"path": "go-project/cyclonedx-go-go.json"
},
{
"type": "input",
"path": "go-project/go.sum"
}
]
},
{
"project": {
"path": "ruby-project-2"
},
"package_type": "gem",
"package_manager": "bundler",
"language": "Ruby",
"files": [
{
"type": "sbom",
"path": "ruby-project-2/cyclonedx-gem-bundler.json"
},
{
"type": "input",
"path": "ruby-project-2/Gemfile.lock"
}
]
}
]
}
What are the relevant issue numbers?
Determine ISBOM manifest file structure (gitlab-org/gitlab#352199 - closed)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Adam Cohen