## Background context and Problems to Solve Please reference the [parent epic](https://gitlab.com/groups/gitlab-org/-/epics/7886) for context and details. This epic specifically deals with the "SBOM Ingestion" and "Dependency DB" items in this [high level flow diagram](https://gitlab.com/groups/gitlab-org/-/epics/7886#proposed-architecture-high-level-concept). ## Proposal (Requirements) 1. When a GitLab CI pipeline completes, the GitLab backend will look for one or more Cyclone-DX formatted artifact files. If one or more files exist, then those files will be parsed and read by the GitLab backend. 1. Because the same dependency might be reported in multiple artifact files, the backend will remove duplicates to store each unique dependency only once. Unique dependencies will be identified by the package name and the version number. Additional information that might differ between artifact files (such as location data) will be preserved. 1. The list of unique dependencies along with the other information from the Cyclone-DX formatted artifact file will be stored in the GitLab database and will be associated with the CI pipeline that produced the data. It will be possible to list the SBOM components of a project without parsing through an artifact file.