Provide a way to collect license compliance artifact with dependency scanning

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Context

A customer submitted a ticket that they updated their License scanning templates over to License Compliance with Dependency scanning. Their previous workflow with License scanning involved downloading the artifact report that it generates to view the licenses in the codebase. They would download this file

However, it appears that the new CycloneDX file with Dependency scanning does not contain the License information in them. Instead, it appears that GitLab now ingests the report and performs the work in the background to detect the license after Dependency Scanning has been completed and stores the information in the database.

Example

gitlabhq_production=# select * from sbom_occurrences;
 id |          created_at           |          updated_at           | component_version_id | project_id | pipeline_id | source_id |                                     commit_sha                                     | component_id |                 uuid
              | package_manager | component_name | input_file_path  |                                                                      licenses                                                                      | vulnerabilities
----+-------------------------------+-------------------------------+----------------------+------------+-------------+-----------+------------------------------------------------------------------------------------+--------------+------------------------
--------------+-----------------+----------------+------------------+----------------------------------------------------------------------------------------------------------------------------------------------------+-----------------
  1 | 2023-11-30 23:55:33.815534+00 | 2023-11-30 23:55:33.815534+00 |                    1 |          6 |          20 |         1 | \x64343039663135613831363339626434656165306162363432616561663366636234326132386461 |            1 | fdc85472-9b60-5664-b892
-8420fddcc2aa | pip             | iseven         | requirements.txt | [{"url": "https://spdx.org/licenses/MIT.html", "name": "MIT License", "spdx_identifier": "MIT"}]                                                   | []
  2 | 2023-11-30 23:55:33.815534+00 | 2023-11-30 23:55:33.815534+00 |                    2 |          6 |          20 |         1 | \x64343039663135613831363339626434656165306162363432616561663366636234326132386461 |            2 | ab84840e-c45b-5893-b46b
-08997d165600 | pip             | isodd          | requirements.txt | [{"url": "https://spdx.org/licenses/MIT.html", "name": "MIT License", "spdx_identifier": "MIT"}]                                                   | []
  3 | 2023-12-15 01:02:28.475669+00 | 2023-12-15 01:54:08.004352+00 |                    3 |         22 |          59 |         1 | \x37333565393636373632636364633765393334643761373434626665636235643666623066663035 |            3 | a7c4191c-89c3-5323-91f9
-3daaae783194 | pip             | click          | requirements.txt | [{"url": "https://spdx.org/licenses/BSD-3-Clause.html", "name": "BSD 3-Clause \"New\" or \"Revised\" License", "spdx_identifier": "BSD-3-Clause"}] | []
  4 | 2023-12-15 01:02:28.475669+00 | 2023-12-15 01:54:08.004352+00 |                    4 |         22 |          59 |         1 | \x37333565393636373632636364633765393334643761373434626665636235643666623066663035 |            4 | 3d010c34-0fa2-529d-89cc
-ef340d780c85 | pip             | flask          | requirements.txt | []                                                                                                                                                 | []
  5 | 2023-12-15 01:02:28.475669+00 | 2023-12-15 01:54:08.004352+00 |                    5 |         22 |          59 |         1 | \x37333565393636373632636364633765393334643761373434626665636235643666623066663035 |            5 | 826f7aaf-fda4-5293-92f6
-f667beea9f0d | pip             | itsdangerous   | requirements.txt | [{"url": "https://spdx.org/licenses/BSD-3-Clause.html", "name": "BSD 3-Clause \"New\" or \"Revised\" License", "spdx_identifier": "BSD-3-Clause"}] | []
  6 | 2023-12-15 01:02:28.475669+00 | 2023-12-15 01:54:08.004352+00 |                    6 |         22 |          59 |         1 | \x37333565393636373632636364633765393334643761373434626665636235643666623066663035 |            6 | 9c447a55-1e1f-5d37-84fe
-43eba0e84b31 | pip             | jinja2         | requirements.txt | [{"url": "https://spdx.org/licenses/BSD-3-Clause.html", "name": "BSD 3-Clause \"New\" or \"Revised\" License", "spdx_identifier": "BSD-3-Clause"}] | []
  7 | 2023-12-15 01:02:28.475669+00 | 2023-12-15 01:54:08.004352+00 |                    7 |         22 |          59 |         1 | \x37333565393636373632636364633765393334643761373434626665636235643666623066663035 |            7 | 71e4add6-c654-53e6-b422
-6ca8bc4d95ef | pip             | markupsafe     | requirements.txt | [{"url": "https://spdx.org/licenses/BSD-3-Clause.html", "name": "BSD 3-Clause \"New\" or \"Revised\" License", "spdx_identifier": "BSD-3-Clause"}] | []
  8 | 2023-12-15 01:02:28.475669+00 | 2023-12-15 01:54:08.004352+00 |                    8 |         22 |          59 |         1 | \x37333565393636373632636364633765393334643761373434626665636235643666623066663035 |            8 | 001b4ade-78e1-5149-b4ef
-d6e1fa853423 | pip             | werkzeug       | requirements.txt | [{"url": "https://spdx.org/licenses/BSD-3-Clause.html", "name": "BSD 3-Clause \"New\" or \"Revised\" License", "spdx_identifier": "BSD-3-Clause"}] | []
(8 rows)

Proposal

Provide an artifact that can be downloaded from the pipeline to view the licenses used in the codebase.

Edited Aug 28, 2025 by 🤖 GitLab Bot 🤖