Dependencies Export fails to validate SBOM using CycloneDX new tools format

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Summary

When attempting to run a dependency list export against a pipeline which contains a CDX artifact that utilizes the new creation tools format, the exporter fails with the following:

Invalid CycloneDX report: property '/metadata/tools/0/vendor' is not of type: string

This occurs even though the report matches the schema we are checking when compared locally. It seems like the data may be getting interpreted improperly before schema validation (maybe here).

Reports generated by our in house scanning jobs utilize the legacy creation tools format, which does not cause an issue.

Steps to reproduce

Fork my example repository
Run a pipeline.
Create a pipeline level dependency list export against that pipeline.
The Dependencies::ExportWorker will fail with Invalid CycloneDX report: property '/metadata/tools/0/vendor' is not of type: string.

Example Project

https://gitlab.com/calebw/sbom-tools-validation-failure

What is the current bug behavior?

The exporter fails to process the new creation tools CDX format and no report is generated.

What is the expected correct behavior?

The exporter successfully processes the new creation tools CDX format and a report is generated.

Relevant logs and/or screenshots

(Internal use)

You can track down the error on GitLab.com by using this search in Kibana (update pipeline ID). Take the correlation ID from your POST request and plug it into the correlation dashboard to see the failed sidekiq jobs.

json.exception.class: "Dependencies::ExportSerializers::Sbom::PipelineService::SchemaValidationError",
json.json.exception.message: "Invalid CycloneDX report: property '/metadata/tools/0/vendor' is not of type: string",
json.exception.backtrace: [ee/app/services/dependencies/export_serializers/sbom/pipeline_service.rb:28:in `execute', ee/app/services/dependencies/export_serializers/sbom/pipeline_service.rb:14:in `execute', ee/app/services/dependencies/export_service.rb:73:in `exported_object', ee/app/services/dependencies/export_service.rb:69:in `file_content', ee/app/services/dependencies/export_service.rb:61:in `block in create_export_file', /usr/lib/ruby/3.2.0/tempfile.rb:331:in `open', ee/app/services/dependencies/export_service.rb:60:in `create_export_file', ee/app/services/dependencies/export_service.rb:49:in `create_export', ee/app/services/dependencies/export_service.rb:27:in `execute', ee/app/services/dependencies/export_service.rb:17:in `execute', ee/app/workers/dependencies/export_worker.rb:29:in `perform', vendor/gems/sidekiq-7.2.4/lib/sidekiq/processor.rb:210:in `execute_job', vendor/gems/sidekiq-7.2.4/lib/sidekiq/processor.rb:180:in `block (4 levels) in process', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:180:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', ee/lib/gitlab/sidekiq_middleware/set_session/server.rb:21:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', lib/gitlab/sidekiq_middleware/identity/restore.rb:12:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', lib/gitlab/sidekiq_middleware/skip_jobs.rb:51:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', lib/gitlab/sidekiq_middleware/resource_usage_limit/middleware.rb:16:in `perform', lib/gitlab/sidekiq_middleware/resource_usage_limit/server.rb:8:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', lib/gitlab/database/load_balancing/sidekiq_server_middleware.rb:35:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', lib/gitlab/sidekiq_middleware/concurrency_limit/middleware.rb:37:in `perform', lib/gitlab/sidekiq_middleware/concurrency_limit/server.rb:8:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', lib/gitlab/sidekiq_middleware/duplicate_jobs/strategies/until_executing.rb:16:in `perform', lib/gitlab/sidekiq_middleware/duplicate_jobs/duplicate_job.rb:44:in `perform', lib/gitlab/sidekiq_middleware/duplicate_jobs/server.rb:8:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', lib/click_house/migration_support/sidekiq_middleware.rb:7:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', lib/gitlab/sidekiq_middleware/pause_control/strategies/base.rb:31:in `perform', lib/gitlab/sidekiq_middleware/pause_control/strategy_handler.rb:22:in `perform', lib/gitlab/sidekiq_middleware/pause_control/server.rb:8:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', lib/gitlab/sidekiq_middleware/worker_context.rb:9:in `wrap_in_optional_context', lib/gitlab/sidekiq_middleware/worker_context/server.rb:19:in `block in call', lib/gitlab/application_context.rb:173:in `block in use', gitlab-labkit (0.37.0) lib/labkit/context.rb:35:in `with_context', lib/gitlab/application_context.rb:173:in `use', lib/gitlab/application_context.rb:96:in `with_context', lib/gitlab/sidekiq_middleware/worker_context/server.rb:17:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', lib/gitlab/sidekiq_status/server_middleware.rb:7:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', lib/gitlab/sidekiq_versioning/middleware.rb:9:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', lib/gitlab/sidekiq_middleware/query_analyzer.rb:7:in `block in call', lib/gitlab/database/query_analyzer.rb:83:in `within', lib/gitlab/sidekiq_middleware/query_analyzer.rb:7:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', lib/gitlab/sidekiq_middleware/admin_mode/server.rb:14:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', lib/gitlab/sidekiq_middleware/set_ip_address.rb:7:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', lib/gitlab/sidekiq_middleware/instrumentation_logger.rb:9:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', lib/gitlab/sidekiq_middleware/batch_loader.rb:7:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', lib/gitlab/sidekiq_middleware/extra_done_log_metadata.rb:7:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', lib/gitlab/sidekiq_middleware/server_metrics.rb:111:in `block in call', lib/gitlab/sidekiq_middleware/server_metrics.rb:139:in `block in instrument', lib/gitlab/metrics/background_transaction.rb:33:in `run', lib/gitlab/sidekiq_middleware/server_metrics.rb:139:in `instrument', lib/gitlab/sidekiq_middleware/server_metrics.rb:110:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', lib/gitlab/sidekiq_middleware/request_store_middleware.rb:8:in `block in call', gems/gitlab-safe_request_store/lib/gitlab/safe_request_store.rb:66:in `enabling_request_store', gems/gitlab-safe_request_store/lib/gitlab/safe_request_store.rb:59:in `ensure_request_store', lib/gitlab/sidekiq_middleware/request_store_middleware.rb:7:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', gitlab-labkit (0.37.0) lib/labkit/middleware/sidekiq/server.rb:21:in `block in call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:180:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', gitlab-labkit (0.37.0) lib/labkit/middleware/sidekiq/context/server.rb:16:in `block in call', gitlab-labkit (0.37.0) lib/labkit/context.rb:35:in `with_context', gitlab-labkit (0.37.0) lib/labkit/middleware/sidekiq/context/server.rb:15:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:173:in `invoke', gitlab-labkit (0.37.0) lib/labkit/middleware/sidekiq/server.rb:20:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', lib/gitlab/sidekiq_middleware/monitor.rb:10:in `block in call', lib/gitlab/sidekiq_daemon/monitor.rb:46:in `within_job', lib/gitlab/sidekiq_middleware/monitor.rb:9:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', lib/gitlab/sidekiq_middleware/shard_awareness_validator.rb:10:in `block in call', lib/gitlab/sidekiq_sharding/validator.rb:42:in `enabled', lib/gitlab/sidekiq_middleware/shard_awareness_validator.rb:9:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', lib/gitlab/sidekiq_middleware/size_limiter/server.rb:13:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', marginalia (1.11.1) lib/marginalia/sidekiq_instrumentation.rb:9:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', sentry-sidekiq (5.22.1) lib/sentry/sidekiq/sentry_context_middleware.rb:54:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:183:in `block in traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/metrics/tracking.rb:26:in `track', vendor/gems/sidekiq-7.2.4/lib/sidekiq/metrics/tracking.rb:126:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:182:in `traverse', vendor/gems/sidekiq-7.2.4/lib/sidekiq/middleware/chain.rb:173:in `invoke', vendor/gems/sidekiq-7.2.4/lib/sidekiq/processor.rb:179:in `block (3 levels) in process', vendor/gems/sidekiq-7.2.4/lib/sidekiq/processor.rb:140:in `block (6 levels) in dispatch', vendor/gems/sidekiq-7.2.4/lib/sidekiq/job_retry.rb:113:in `local', vendor/gems/sidekiq-7.2.4/lib/sidekiq/processor.rb:139:in `block (5 levels) in dispatch', vendor/gems/sidekiq-7.2.4/lib/sidekiq/rails.rb:16:in `block in call', activesupport (7.0.8.6) lib/active_support/execution_wrapper.rb:92:in `wrap', activesupport (7.0.8.6) lib/active_support/reloader.rb:72:in `block in wrap', activesupport (7.0.8.6) lib/active_support/execution_wrapper.rb:92:in `wrap', activesupport (7.0.8.6) lib/active_support/reloader.rb:71:in `wrap', vendor/gems/sidekiq-7.2.4/lib/sidekiq/rails.rb:15:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/processor.rb:135:in `block (4 levels) in dispatch', vendor/gems/sidekiq-7.2.4/lib/sidekiq/processor.rb:271:in `stats', vendor/gems/sidekiq-7.2.4/lib/sidekiq/processor.rb:130:in `block (3 levels) in dispatch', lib/gitlab/sidekiq_logging/structured_logger.rb:21:in `call', vendor/gems/sidekiq-7.2.4/lib/sidekiq/processor.rb:129:in `block (2 levels) in dispatch', vendor/gems/sidekiq-7.2.4/lib/sidekiq/job_retry.rb:80:in `global', vendor/gems/sidekiq-7.2.4/lib/sidekiq/processor.rb:128:in `block in dispatch', vendor/gems/sidekiq-7.2.4/lib/sidekiq/job_logger.rb:39:in `prepare', vendor/gems/sidekiq-7.2.4/lib/sidekiq/processor.rb:127:in `dispatch', vendor/gems/sidekiq-7.2.4/lib/sidekiq/processor.rb:178:in `block (2 levels) in process', vendor/gems/sidekiq-7.2.4/lib/sidekiq/processor.rb:177:in `handle_interrupt', vendor/gems/sidekiq-7.2.4/lib/sidekiq/processor.rb:177:in `block in process', vendor/gems/sidekiq-7.2.4/lib/sidekiq/processor.rb:176:in `handle_interrupt', vendor/gems/sidekiq-7.2.4/lib/sidekiq/processor.rb:176:in `process', vendor/gems/sidekiq-7.2.4/lib/sidekiq/processor.rb:82:in `process_one', vendor/gems/sidekiq-7.2.4/lib/sidekiq/processor.rb:72:in `run', vendor/gems/sidekiq-7.2.4/lib/sidekiq/component.rb:10:in `watchdog', vendor/gems/sidekiq-7.2.4/lib/sidekiq/component.rb:19:in `block in safe_thread']

Output of checks

This bug happens on GitLab.com

Edited Jul 29, 2025 by 🤖 GitLab Bot 🤖