Using dependency-management-data with GitLab's Pipeline-specific CycloneDX SBOM exports
Earlier today I spotted an exciting result in the changelog for the release of GitLab 16.4, which happened last Friday, which added Pipeline-specific CycloneDX SBOM exports
When I was working on dependency-management-data's expanded offerings other than the original Renovate datasource, I had investigated GitLab's existing Dependency List API but did not proceed with it because the structure of the data wasn't ideal.
However, with the GitLab 16.4 release, the availability to use CycloneDX SBOMs is really awesome, because using an existing well-supported standard for this means it's already supported in dependency-management-data as part of a release earlier this month π
So how do we take advantage of this? We can follow the documentation (which notes that this is an experimental feature!) and run:
$ export GITLAB_TOKEN=glpat...
$ curl --request POST --header "PRIVATE-TOKEN: $GITLAB_TOKEN" "https://gitlab.com/api/v4/pipelines/1018856246/dependency_list_exports" --data "export_type=sbom"
{
"download": "https://gitlab.com/api/v4/dependency_list_exports/1008825/download",
"has_finished": false,
"id": 1008825,
"self": "https://gitlab.com/api/v4/dependency_list_exports/1008825"
}
Once processed, we can then download the resulting SBOM, and import it into dependency-management-data with:
dmd import sbom --db dmd.db sbom.json --platform gitlab --organisation tanna.dev --repo gitlab-example-security-reports
And it's that simple! We now have all the data available in dependency-management-data π
You can see the data that's available from this SBOM in the example app.
