Support for license scanning of OS packages provided by CycloneDX SBOM report
Release notes
Problem to solve
GitLab currently doesn't support license scanning for OS packages: https://docs.gitlab.com/ee/user/compliance/license_scanning_of_cyclonedx_files/#supported-languages-and-package-managers
The trivy scanner we used to generate the CycloneDX report as part of the Cotnainer Scanning feature may provide the license data but GitLab doesn't take this information into account.
We've added support for reading license information from the CycloneDX report as part of User provided license information for components (&10861 - closed) but OS packages have been explicitely excluded: Skip OS components when parsing licenses from SBOM (#499553 - closed)
Zendesk ticket - internal only
Proposal
- In order to keep the current behavior, add a ci variable in order to control trivy based licenses.
- Update the existing documentation by adding the description of the ci variable and its usage.
- Enable reading license data from the CycloneDX report for OS packages purl types.
Intended users
Feature Usage Metrics
Metrics for License Scanning feature are being implemented with Track License Scanning scan results (#465860) which covers dependencies with licenses extracted from the SBOM.
Enabling the feature for OS packages should automatically be tracked with these metrics. Its usage can be verified by checking the events matching OS package purl types (tracked in label property) and the components_with_licenses_from_sbom additional property.