CycloneDX SBOM export fails validation when processing files with missing optional fields
Summary
The dependency list exports feature fails with SchemaValidationError when exporting CycloneDX SBOMs that have missing optional fields. While these SBOMs pass standard CycloneDX validation, the export fails because GitLab stores null values for optional fields during ingestion, which later causes validation errors during export.
For example:
- License objects have missing SPDX identifiers (stored as null)
- Components have missing versions (stored as null)
Then on export we get the following logs:
property '/components/181/licenses/1/license/id' is not of type: string,
property '/components/181/licenses/1/license/id' is not one of: <list_of_allowed_licenses>
property '/components/181/licenses/1/license/url' is not of type: string,
property '/components/188/version' is not of type: string, ...Steps to reproduce
- Generate or obtain a valid CycloneDX SBOM that has any of these characteristics (for example):
- Licenses with names but no SPDX identifiers
- Components without version information
- Upload the SBOM as a CI artifact with the CycloneDX report type
- Attempt to export dependencies using the Dependency List Exports API
- Look into the logs and see the failure (You can verify this on your GDK as well in the
sidekiq.logfile)
Related RFH (Internal)
https://gitlab.com/gitlab-com/request-for-help/-/issues/2292+s
Example Project
Possible fixes
Modify the SBOM ingestion process to omit optional fields when they are null instead of storing null values (See discussion here).