Parsing SBOMs

This note includes information about parsing SBOMs in the GitLab Rails Console.

HOWTO

The docs describe that Dependency Scanning supports select languages and package managers. The gemnasium project has notes on adding a new dependency file parser. Check out the existing parsers.

On line 66 of convert.go, we see that ToSBOMs:

// ToSBOMs converts dependency files to CycloneDX SBOMs, with components in sorted order

A quick start to parsing a CycloneDX SBOM .json file as GitLab would:

file = File.read 'gl-sbom-report.cdx.json'
data_hash = JSON.parse(file)
raw_report_data = data_hash.to_json
report = Gitlab::Ci::Reports::Sbom::Report.new
raw_report_data
r = Gitlab::Ci::Parsers::Sbom::Cyclonedx.new.parse!(raw_report_data, report)
report
report.components

src

Resources

Issues and MRs

• Merged Add props field to SBOM component parser

External

• OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard

GitLab Docs

• License list
• Supported languages and package managers