Surface error when SBOM missing required vulnerability scanning properties
What does this MR do and why?
This MR surfaces an error to users when vulnerability scanning silently fails due to missing required GitLab CycloneDX metadata properties.
Problem
When an SBOM is missing required GitLab metadata properties (e.g., gitlab:dependency_scanning:input_file:path), the source object becomes nil during parsing. In CreateVulnerabilitiesService, the report is then silently skipped:
next unless sbom_report.source.present?This commonly occurs when using tools like cyclonedx merge that strip metadata properties. Users have no visibility into why vulnerability scanning produces no results.
Solution
Backend Changes:
- Modified
CreateVulnerabilitiesServiceto track missing source errors and persist them viaset_sbom_report_ingestion_errors - Updated
set_sbom_report_ingestion_errorsto append errors instead of overwriting, allowing bothIngestReportsServiceandCreateVulnerabilitiesServiceto contribute errors - Added
normalize_sbom_errormethod to handle multiple error formats (Hash with message/help_link, Array, String) for backward compatibility
Frontend Changes:
- Enhanced
SbomReportsErrorsAlertcomponent withparseErrormethod to normalize error objects - Added support for rendering help links directly in error messages when available
- Added "Learn more" link text for contextual help
Error Format: Errors now support both legacy string format and new structured format with help links:
{ message: "Error description", help_link: "path/to/documentation" }References
No user notification when SBOM vulnerability sc... (#542813 - closed)
Screenshots or screen recordings
Displaying error when missing required gitlab metadata properties on SBOM:
Displaying multiple sbom errors:
How to set up and validate locally
GDK Setup
-
Checkout at this branch:
display-errors-on-sbom-missing-properties -
Create an empty project.
-
Add following files to the project:
.gitlab-ci.yml
test-sbom-with-missing-metadata:
script: echo "Testing sbom without gitlab metadata"
artifacts:
access: developer
reports:
cyclonedx: "gl-sbom-*.cdx.json"
gl-sbom-npm-npm.cdx.json
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:c262d55c-5e5d-4dd7-bd6f-9defdd2cfdec",
"version": 1,
"metadata": {
"timestamp": "2025-09-05T16:50:16Z",
"tools": [
{
"vendor": "GitLab",
"name": "Gemnasium",
"version": "6.1.10"
}
],
"authors": [
{
"name": "GitLab",
"email": "support@gitlab.com"
}
]
},
"components": [
{
"name": "@babel/core",
"version": "7.23.0",
"purl": "pkg:npm/%40babel/core@7.23.0",
"type": "library",
"bom-ref": "pkg:npm/%40babel/core@7.23.0"
},
{
"name": "@types/koa-passport",
"version": "file:common-js/@types/koa-passport",
"purl": "pkg:npm/%40types/koa-passport@file%3Acommon-js%2F%40types%2Fkoa-passport",
"type": "library",
"bom-ref": "pkg:npm/%40types/koa-passport@file%3Acommon-js%2F%40types%2Fkoa-passport"
},
{
"name": "lodash",
"version": "4.17.20",
"purl": "pkg:npm/lodash@4.17.20",
"type": "library",
"bom-ref": "pkg:npm/lodash@4.17.20"
},
{
"name": "axios",
"version": "0.21.1",
"purl": "pkg:npm/axios@0.21.1",
"type": "library",
"bom-ref": "pkg:npm/axios@0.21.1"
},
{
"name": "minimist",
"version": "1.2.5",
"purl": "pkg:npm/minimist@1.2.5",
"type": "library",
"bom-ref": "pkg:npm/minimist@1.2.5"
}
]
}- Once CI has finished you should be able to see the following error in the Security tab pipeline:
Notes
- This error only appears on the default branch, since SBOM ingestion runs exclusively there
- The implementation maintains backward compatibility with legacy string error formats
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.