Skip to content

Filter unknown licences by SPDX identifier for SBOM occurrences

Ugo Nnanna Okeadurequested to merge
uokeadu/482764/filter-unknown-licenses-by-spdx-identifier into master

What does this MR do and why?

This MR updates the SBOM occurrence filtering logic to use the SPDX identifier when identifying unknown licenses.
These changes align with recent updates in licenses data handling in !179373 (merged).

Previous Query:

SELECT "sbom_occurrences".*
FROM "sbom_occurrences"
WHERE (
    (licenses#>'{0,spdx_identifier}' ?| array['MPL-2.0'])
    OR (licenses#>'{1,spdx_identifier}' ?| array['MPL-2.0'])
    OR licenses = '[]' -- Matches license with 'unknown' spdx_identifiers
);

Updated Queries:

Feature Disabled sbom_ingest_unknown_licenses_with_count:

SELECT "sbom_occurrences".*
FROM "sbom_occurrences"
WHERE (
    (licenses#>>'{0,spdx_identifier}') = ANY(ARRAY['MPL-2.0'])
    OR (licenses#>>'{1,spdx_identifier}') = ANY(ARRAY['MPL-2.0'])
    OR jsonb_array_length(licenses) = 0 -- Matches license with 'unknown' spdx_identifiers
);

Feature Enabled sbom_ingest_unknown_licenses_with_count:

SELECT "sbom_occurrences".*
FROM "sbom_occurrences"
WHERE (
    (licenses#>>'{0,spdx_identifier}') = ANY(ARRAY['MPL-2.0', 'unknown'])
    OR (licenses#>>'{1,spdx_identifier}') = ANY(ARRAY['MPL-2.0', 'unknown'])
);

References

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Before After
Unknown licenses filtered Unknown licenses filtered by SPDX ID

How to Set Up and Validate Locally

  1. Clone the example project:

  2. Switch to the main branch.

  3. Sync your local GDK with the package metadata

    • You may need to delete the Sbom::Occurrence records using the Rails console by running: 
      Sbom::Occurrence.destroy_all

  4. Trigger a new pipeline:

    • Navigate to Build → Pipelines in GitLab.
    • Manually create a new pipeline for the main branch.

  5. Filter the Dependency List results:

    • This step should be done at Group level
    • Navigate to Secure → Dependency List for the group where the project is located.
    • Follow the instructions in the referenced video GitLab 17.5 - Dependency List (SBOM) Filtering (https://www.youtube.com/watch?v=uzW9hfbYd8M) and filter by License.

  6. Verify results:

    • Components with an MIT license are correctly filtered.
    • Components with an unknown license are correctly filtered.

  7. Switch to this merge request branch.

  8. Refresh page and repeat step 6 for this branch.

  9. Enable the feature flag sbom_ingest_unknown_licenses_with_count from your Rails console.

    Feature.enable(:sbom_ingest_unknown_licenses_with_count)

  10. Repeat steps 4, 5, and 6 with the feature enabled.

Edited by Ugo Nnanna Okeadu

Merge request reports