Ingest unknown licenses with occurrence count

Ugo Nnanna Okeadurequested to merge
uokeadu/482764/skip-ingesting-unknown-licenses into master

What does this MR do and why?

We aim to ensure the proper ingestion of SBOM occurrences, where unknown licenses are stored with their respective occurrence count in the following format:

{
  "name": "<count> unknown",
  "spdx_identifier": "unknown",
  "url": null
}
State DB
All Known Licenses Store only known licenses.
All unknown Licenses Store unknown licenses with their occurrence count included in the license name.
Mixed Licenses Store both known and unknown licenses, with the occurrence count for unknown licenses in the name.

References

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Before After
Unknown not displayed for mixed licenses Unknown displayed with their count

How to set up and validate locally

  1. Clone the example project:

  2. Switch to the main branch.

  3. Sync your local GDK with the package metadata

    • You may need to delete the Sbom::Occurrence records using the Rails console by running Sbom::Occurrence.destroy_all.

  4. Trigger a new pipeline:

    • Navigate to the Build->Pipelines section in GitLab.
    • Manually create a new pipeline for the main branch.

  5. Validate the pipeline results:

    • Go to the License tab and confirm the presence of the markupsafe license.
    • Verify that the markupsafe unknown license is not listed in the Secure->Dependency List.

  6. Switch to this merge request branch.

  7. Repeat steps 4 and 5 for this branch.

  8. Verify the following:

    • The License tab still displays the markupsafe license.
    • The Dependency List now includes the markupsafe unknown license.
Edited by Ugo Nnanna Okeadu

Merge request reports