[go: up one dir, main page]
Skip to content

Update gemnasium scanner package to include additional information

Proposal

Now that 1 - Update gemnasium to output CycloneDX SBOMs (#350509 - closed) has been completed, the gemnasium analyzers output a gl-sbom-*.cdx.json SBOM file. This file uses CycloneDX Properties to store the location of the build/lock/requirements file in the gitlab:input_file property in the metadata of the CycloneDX SBOM, for example:

  • Build file:

    {
  "bomFormat": "CycloneDX",
  "metadata": {
    "properties": [
      {
        "name": "gitlab:input_file",
        "value": "build.gradle"
      }
    ]
  }

  • Lock file:

    {
  "bomFormat": "CycloneDX",
  "metadata": {
    "properties": [
      {
        "name": "gitlab:input_file",
        "value": "package-lock.json"
      }
    ]
  }

  • Requirements file

    {
  "bomFormat": "CycloneDX",
  "metadata": {
    "properties": [
      {
        "name": "gitlab:input_file",
        "value": "requirements.txt"
      }

As the above examples demonstrate, we don't currently distinguish between a build file, a lock file or a requirements file, they're all treated the same and the gitlab:input_file field is used to represent all three different types.

The reason why we don't distinguish between these different file types is because the data source for constructing this information comes from the scanner package which doesn't currently provide this level of detail.

The purpose of this issue is to update the scanner package so that it allows us to determine the following:

  • the name of the editable file where dependencies are introduced and declared (aka the build/requirements file or source_file)
  • the file parsed by the analyzer (aka the lock file/dependency export or input_file)

For example, if we look at the []finder.Project.Files field from the projects returned by FindProject:

[]finder.Project{
    {
        Dir:   ".",
        Files: {
            {Filename:"build.gradle", FileType:"requirements"},
        },
    },
}

This tells us that the requirements file was build.gradle, but it doesn't explain that the file that was parsed by the analyzer was actually gradle-dependencies.json. We need to update the Files array so that it includes this information, which we can then output in the CycloneDX SBOM so we end up with something like the following:

{
  "metadata": {
    "properties": [
      {
        "name": "gitlab:requirements_file",
        "value": "build.gradle"
      },
      {
        "name": "gitlab:input_file",
        "value": "gradle-dependencies.json"
      }
    ]
  }
}

See this discussion for more details.

/cc @NicoleSchwartz @gonzoyumo @fcatteau

Edited by Adam Cohen