SBOM ingestion not triggered for some projects
Summary
In certain cases SBOMs do not get ingested leading to a blank Dependency List and no vulnerabilities for Dependency Scanning as a result.
It has been reported to happen more often on larger/older groups with more data. It has also been observed to occur more often with PEP pipelines.
Other observation:
- No exceptions (sentry) have yet been correlated with this problem.
- Kibana (sidekiq logs) shows that
Sbom::IngestReportsWorkeris not triggered for pipelines that have been affected. - Has not been reproduced in gdk.
Steps to reproduce
- CI config with
dependency-scanning(orgemnasium-dependency_scanning) job. - Run pipeline for default branch.
- Observe that the sbom is valid and that artifacts were correctly picked up by the runner.
- Dependency List is empty.
- Vulnerability Report does not show any vulnerabilities from Dependency Scanning.
It's not clear how to reproduce this consistently. Though several groups (internal) have consistently shown this behavior. Example: https://gitlab.com/gl-demo-ultimate-lstucker/testing-sec-pep/tanuki-racing
Example Project
n/a
What is the current bug behavior?
SBOM ingestion does not get triggered, preventing display of Dependency List and Dependency Scanning related vulnerabilities in the Vulnerability Report.
What is the expected correct behavior?
If an SBOM is produced by the default pipeline, it should result in ingestion and the rendering of the full Dependency List and related vulnerabilities in the Vulnerability Report.
Relevant logs and/or screenshots
Sidekiq shows.
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Groups where this has ben consistently reproduced.
Results of GitLab application Check
n/a
Possible fixes
n/a
Patch release information for backports
n/a
High-severity bug remediation
n/a