Container Scanning CycloneDX reports are not ingested as schema v1.5 is not supported

Summary

Recently we upgraged to Trivy 0.43.1 in our Container Scanning tool, but in version 0.43 Trivy added support to CycloneDX schema v1.5. Our Rails backend digest CycloneDX reports only with version 1.4.

Because of that Container Scanning CycloneDX reports are not ingested in GitLab database and information from those reports are not displayed in Group Dependency List.

Steps to reproduce

Inside a group create a new project.
Add next .gitlab-ci.yml config:

variables:
  CS_IMAGE: 'golang:1.20-alpine'

include:
  - template: Jobs/Container-Scanning.gitlab-ci.yml

Run pipeline
Ensure that the container_scanning job has generated an artifact.
Go to Group Dependency List

Example Project

https://gitlab.com/groups/gitlab-org/secure/tests/tetiana-tests-subgroup/-/dependencies

What is the current bug behavior?

Group Dependency List is empty

What is the expected correct behavior?

Group Dependency List shows component from a generated report.

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com

Possible fixes

Update the report in the analyzer after trivy has generated it

change the specVersion to 1.4
change the $schema to http://cyclonedx.org/schema/bom-1.4.schema.json

Workarounds

Use previous non-affected version of the analyzer:

container_scanning:
  variables:
    CS_ANALYZER_IMAGE: "registry.gitlab.com/security-products/container-scanning:6.2.2"

Edited Nov 10, 2023 by Igor Frenkel