Align Group-Level Dependency List with Latest Successful Project-Level Scan for Multiple Licenses

Why are we doing this work

The Dependency List at the group level is not properly syncing with the most recent successful scan at the project level for multiple licenses.

Project Level Dependency List Group Level Dependency List
Screenshot_2025-03-12_at_16.23.58 Screenshot_2025-03-12_at_16.22.24

Relevant links

Implementation plan

Verification steps

  1. Trigger a new pipeline for https://gitlab.com/gitlab-org/govern/threat-insights-demos/verification-projects/issue-482764:

    • Navigate to Build → Pipelines.
    • Manually create a new pipeline for the main branch.

  2. Validate the pipeline results:

    • Go to the License tab and confirm the presence of the cryptography 44.0.2 component.
    • Verify that the cryptography 44.0.2 unknown license is listed in Secure->Dependency List.

  3. Filter the Dependency List results:

    • This step should be done at Group level
    • Navigate to Secure → Dependency List for the group where the project is located.
    • Filter by unknown license.
    • Verify fake/fake 0.0.1 is returned with the correct license list
    • Verify cryptography 44.0.2 is returned with the correct license list
Edited by Ugo Nnanna Okeadu