Fix sbom ingestion for cs cyclonedx reports

Zamir Martinsrequested to merge
fix_ingestion_for_single_cs_cyclonedx_report into master

What does this MR do and why?

A lot has changed in the ingestion related codebase thus it isn't easy to pinpoint in which moment the ingestion of CS cyclonedx reports stopped working when additional reports aren't present.

Previously, the SBOM ingestion worker was triggered:

  1. After a pipeline completed when no other security report was provided
  2. After the main ingestion workflow of the security reports

As mentioned above, a lot has changed in this part of the codebase, and it seems that now the SBOM ingestion worker will only be triggered when there are other security reports or when the SBOM file is of the dependency scanning type. Differently from the previous workflow, now the SecurityReportBuilder is involved in the code flow but it only supports dependency scanning report types.

This MR fixes the sbom ingestion for container scanning cyclonedx reports.

References

Related issue: Container Scanning CycloneDX SBOM reports not i... (#564475 - closed) • Zamir Martins • 18.5

Screenshots or screen recordings

Before After
Screenshot_2025-08-29_at_17.53.27 Screenshot_2025-08-29_at_17.48.15

How to set up and validate locally

  1. Create a project and run the pipeline on the default branch with the following files:

.gitlab-ci.yml:

container_scanning:
  stage: test
  artifacts:
    access: 'developer'
    reports:
      cyclonedx: gl-sbom.cdx.json
    paths: ["**/gl-container-scanning*.json", "**/gl-sbom.cdx.json"]
  script:
    - echo 'testing container scanning'

gl-sbom.cdx.json:

{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:dbe97a38-3c50-4fbc-9f38-75043b60ca5c",
  "version": 1,
  "metadata": {
    "timestamp": "2025-08-22T22:21:47+00:00",
    "tools": {
      "components": [
        {
          "type": "application",
          "manufacturer": {
            "name": "Aqua Security Software Ltd."
          },
          "group": "aquasecurity",
          "name": "trivy",
          "version": "0.65.0"
        }
      ]
    },
    "properties": [
      {
        "name": "gitlab:meta:schema_version",
        "value": "1"
      },
      {
        "name": "gitlab:container_scanning:image:name",
        "value": "alpine"
      },
      {
        "name": "gitlab:container_scanning:image:tag",
        "value": "3.15"
      },
      {
        "name": "gitlab:container_scanning:operating_system:name",
        "value": "alpine"
      },
      {
        "name": "gitlab:container_scanning:operating_system:version",
        "value": "3.15.11"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "23b9cc5e-72f3-428f-a437-a21ac8d96f6e",
      "type": "operating-system",
      "name": "alpine",
      "version": "3.15.11",
      "properties": [
        {
          "name": "aquasecurity:trivy:Class",
          "value": "os-pkgs"
        },
        {
          "name": "aquasecurity:trivy:Type",
          "value": "alpine"
        }
      ]
    }
  ],
  "dependencies": [],
  "vulnerabilities": []
}
  1. Go to Secure > Dependency List
  2. There won't be any dependencies listed without this change.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Zamir Martins

Merge request reports