Parse cyclonedx reports license expressions
What does this MR do and why?
Update parsing logic so cyclonedx reports have licenses expressions. This isn't applicable to dependency list as this MR doesn't touch the actual ingestion of licenses.
References
Related issue: SPDX License expressions in GitLab (gitlab-org#21946) • Zamir Martins • 19.2
Screenshots or screen recordings
Merge request page
License compliance report
License tab (under pipeline page)
How to set up and validate locally
- Enabled FF
cyclonedx_license_expression_ingestion - Create a group with one regular project and a policy project
- The security policy project should have the following content:
policy.yml
approval_policy:
- name: Block GPL licenses
description: Require approval when a GPL-3.0-only license (incl. via SPDX expression) is detected
enabled: true
rules:
- type: license_finding
branches: []
license_states:
- newly_detected
- detected
licenses:
denied:
- name: "GNU General Public License v3.0 only"
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- owner- On the default branch of the regular project, create a gitlab ci file that ingest cyclone reports, without license expressions, like the following:
gitlab-ci.yml
stages:
- test
license_scanning:
stage: test
image: alpine:latest
script:
- echo "Publishing CycloneDX SBOM as license report"
- cp sbom-source.cdx.json gl-sbom.cdx.json
- cat gl-sbom.cdx.json
artifacts:
reports:
cyclonedx: gl-sbom.cdx.jsonsbom-source.cdx.json
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:0d2e62cc-b4bd-423e-8817-3a1102f7c3c6",
"version": 1,
"metadata": {
"timestamp": "2026-06-23T00:00:00Z",
"tools": [
{
"vendor": "gitlab",
"name": "manual-test",
"version": "1.0"
}
],
"component": {
"name": "expr-project",
"version": "0.0.1",
"type": "application"
}
},
"components": [
{
"name": "lodash",
"version": "4.17.21",
"type": "library",
"purl": "pkg:npm/lodash@4.17.21",
"bom-ref": "pkg:npm/lodash@4.17.21",
"licenses": [
{
"license": {
"id": "MIT"
}
}
]
}
]
}- Open a MR to against the default branch with a new component that has license expressions:
{
"name": "evil-lib",
"version": "1.0.0",
"type": "library",
"purl": "pkg:npm/evil-lib@1.0.0",
"bom-ref": "pkg:npm/evil-lib@1.0.0",
"licenses": [
{
"expression": "MIT AND GPL-3.0-only"
}
]
}- Expected: There should be a policy violation flaged on the MR widget, license tab under pipeline page and license compliance report. See the screenshots above as an example.
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Oscar Tovar


