License Scanning reports no license when no package metadata (SBOM Scanner)
Summary
When the components detected in the project SBOM don't match anything in the package metadata tables of the DB (pm_*
tables),
the License Scanning SBOM Scanner doesn't report anything, instead of reporting an Unknown
license.
This is not yet a bug because the License Scanning SBOM Scanner has not been enabled.
Further details
Screenshot
When visiting the License Compliance page, it's as if License Scanning has NOT been set up.
Possible fixes
- Do a LEFT JOIN in
::GitLab::LicenseScanning::PackageLicenses.fetch
to report the unknown license when there's no match. https://gitlab.com/gitlab-org/gitlab/-/blob/ef93c0cce2651f365a7cf00b8c8819ea5ff69948/ee/lib/gitlab/license_scanning/package_licenses.rb#L34 - Update
PackageLicenses.fetch
to add the unknown license forrecords
that have nolicense
, in memory. https://gitlab.com/gitlab-org/gitlab/-/blob/ef93c0cce2651f365a7cf00b8c8819ea5ff69948/ee/lib/gitlab/license_scanning/package_licenses.rb#L45 - Or do the same in
SbomScanner#report
. https://gitlab.com/gitlab-org/gitlab/-/blob/620d56ac6f65c812d480ed17978d2af478738339/ee/lib/gitlab/license_scanning/sbom_scanner.rb#L18
Implementation plan
-
Update the SbomScanner#report
to report theUknown
licenses for eachpackage_license
whoselicenses
areempty?
, and add specs. https://gitlab.com/gitlab-org/gitlab/-/blob/620d56ac6f65c812d480ed17978d2af478738339/ee/lib/gitlab/license_scanning/sbom_scanner.rb#L18
Verification plan
On an environment that has no package metadata (i.e. that has never been synced with License DB),
- Set up a test project with Dependency Scanning, to generate a SBOM.
- Enable
license_scanning_sbom_scanner
for that project. - Trigger a pipeline.
- Check the
License Compliance
page. It should report theUnknown
license for every component listed in the SBOM report generated by the Dependency Scanning jobs.
Edited by Adam Cohen