Draft: Fix ingestion of urls for custom licenses

Zamir Martinsrequested to merge
fix_ingestion_of_url_for_custom_licenses into master

What does this MR do and why?

This change is only applicable to licenses provided by the cyclonedx reports.

There is an existing upstream bug that caused some failures in container scanning related cyclonedx reports:

      "licenses": [
        {
          "license": {
            "name": "GPL-3.0-or-later AND GPL-3.0-or-later WITH exceptions AND GPL-2.0-or-later WITH exceptions AND LGPL-2.0-or-later AND BSD-3-Clause"
          }
        }
      ]

This MR fix ingestion of urls for custom licenses as those should be provided by cyclonedx report as we can't guarantee that those are going to be spdx compliant.

As a side effect, URL links won't be available for custom licenses.

It is important to noticed that custom licenses can be disabled via security configuration page:

Screenshot_2025-08-27_at_10.22.48

References

Related issue: Cyclonedx based licenses fails for some trivy v... (#565978 - closed)

Screenshots or screen recordings
Before Screenshot_2025-08-27_at_10.27.58
After Screenshot_2025-08-27_at_09.42.13

How to set up and validate locally

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Zamir Martins

Merge request reports