SBOM components removed during partial ingestion of SBOMs
Summary
In a pipeline for the default branch that should upload multiple SBOMs, if one of the SBOM can't be uploaded because one of the job fails, then the corresponding components are marked as no longer detected.
Steps to reproduce
Example Project
What is the current bug behavior?
What is the expected correct behavior?
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Implementation plan
As we don't want to ingest a partial report and mark the components as disappeared, we need to check if all the SBOM CI jobs are succeeded before running the occurrence deletion logic.
Here is an example diff to achieve this
diff --git a/ee/app/services/sbom/ingestion/delete_not_present_occurrences_service.rb b/ee/app/services/sbom/ingestion/delete_not_present_occurrences_service.rb
index e69cde0cec96..1401dea5d1b4 100644
--- a/ee/app/services/sbom/ingestion/delete_not_present_occurrences_service.rb
+++ b/ee/app/services/sbom/ingestion/delete_not_present_occurrences_service.rb
@@ -15,6 +15,8 @@ def initialize(pipeline, ingested_occurrence_ids)
end
def execute
+ return if has_failed_sbom_jobs?
+
not_present_occurrences.each_batch(of: DELETE_BATCH_SIZE) { |occurrences, _| occurrences.delete_all }
end
@@ -27,6 +29,12 @@ def execute
def not_present_occurrences
project.sbom_occurrences.id_not_in(ingested_occurrence_ids)
end
+
+ def has_failed_sbom_jobs?
+ pipeline.builds.failed.any? do |build|
+ build.metadata.config_options.dig(:artifacts, :reports, :cyclonedx).present?
+ end
+ end
end
end
end
Edited by Mehmet Emin INAC