Parse cyclonedx reports license expressions

What does this MR do and why?

Update parsing logic so cyclonedx reports have licenses expressions. This isn't applicable to dependency list as this MR doesn't touch the actual ingestion of licenses.

References

Related issue: SPDX License expressions in GitLab (gitlab-org#21946) • Zamir Martins • 19.2

Screenshots or screen recordings

Merge request page

Screenshot_2026-06-24_at_16.52.35

License compliance report

Screenshot_2026-06-24_at_17.02.09

License tab (under pipeline page)

Screenshot_2026-06-24_at_17.02.33

How to set up and validate locally

  1. Enabled FF cyclonedx_license_expression_ingestion
  2. Create a group with one regular project and a policy project
  3. The security policy project should have the following content: policy.yml
approval_policy:
  - name: Block GPL licenses
    description: Require approval when a GPL-3.0-only license (incl. via SPDX expression) is detected
    enabled: true
    rules:
      - type: license_finding
        branches: []
        license_states:
          - newly_detected
          - detected
        licenses:
          denied:
            - name: "GNU General Public License v3.0 only"
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - owner
  1. On the default branch of the regular project, create a gitlab ci file that ingest cyclone reports, without license expressions, like the following:

gitlab-ci.yml

stages:
  - test

license_scanning:
  stage: test
  image: alpine:latest
  script:
    - echo "Publishing CycloneDX SBOM as license report"
    - cp sbom-source.cdx.json gl-sbom.cdx.json
    - cat gl-sbom.cdx.json
  artifacts:
    reports:
      cyclonedx: gl-sbom.cdx.json

sbom-source.cdx.json

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:0d2e62cc-b4bd-423e-8817-3a1102f7c3c6",
  "version": 1,
  "metadata": {
    "timestamp": "2026-06-23T00:00:00Z",
    "tools": [
      {
        "vendor": "gitlab",
        "name": "manual-test",
        "version": "1.0"
      }
    ],
    "component": {
      "name": "expr-project",
      "version": "0.0.1",
      "type": "application"
    }
  },
  "components": [
    {
      "name": "lodash",
      "version": "4.17.21",
      "type": "library",
      "purl": "pkg:npm/lodash@4.17.21",
      "bom-ref": "pkg:npm/lodash@4.17.21",
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ]
    }
  ]
}
  1. Open a MR to against the default branch with a new component that has license expressions:
    {
      "name": "evil-lib",
      "version": "1.0.0",
      "type": "library",
      "purl": "pkg:npm/evil-lib@1.0.0",
      "bom-ref": "pkg:npm/evil-lib@1.0.0",
      "licenses": [
        {
          "expression": "MIT AND GPL-3.0-only"
        }
      ]
    }
  1. Expected: There should be a policy violation flaged on the MR widget, license tab under pipeline page and license compliance report. See the screenshots above as an example.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Oscar Tovar

Merge request reports

Loading