Filter out invalid components early in SBOM ingestion

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Problem to solve

As noted in Fix parsing of underscores in Maven versions (gitlab-org/ruby/gems/semver_dialects!90 - merged), we're spending a lot of resources attempting to parse a component's invalid version string. Outside SBOM ingestion and continuous vulnerability scans, license scanning will continuously parse the invalid versions early on when it refreshes the cache via the Sidekiq/ReactiveCachingWorker job.

Proposal

Filter out invalid components early in ingestion of CycloneDX SBOMs.

This might support Highlight invalid and missing versions in Depen... (#464007).

Relevant links

Fix parsing of underscores in Maven versions (gitlab-org/ruby/gems/semver_dialects!90 - merged)

Non-functional requirements

Documentation:
Feature flag:
Performance:
Testing:

Implementation plan

Verification steps

Edited Aug 27, 2025 by 🤖 GitLab Bot 🤖