Resolve "Dependency list export with API silently fails license validation"

Harrison Petersrequested to merge
563882-remove-cdx-validation-from-dependency-exports into master

What does this MR do and why?

Removes the runtime schema validation error from the Pipeline SBoM report export, and instead replaces with some logs.

When we throw a schema validation error during export it causes the job to remain in a perpetually failing state.

The data for this report is coming from our DB, and one such case that can cause a failure is producing a license with a license ID not in our static license list (ex; unknown licenses, which we store with a non-standard license ID).

References

#563882 (comment 2713258422)

How to set up and validate locally

Before Change:

  1. Have a GitLab project with dependencies that use SPDX license IDs not included in GitLab's static validation list
  2. Attempt to export dependency list in SBOM format using the API:
  3. Check the export status repeatedly - it will remain stuck at "has_finished": false
    1. After the change: The export will complete, and the report will be downloadable

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #563882 (closed)

Edited by Harrison Peters

Merge request reports