Merge branch...

Merge branch 'alan-prevent-container-scanning-sbom-to-be-treated-as-source-for-license-scanning-rules' into 'master' 

Prevent CS SBOM to be parsed as ready for License Scanning rules

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/158831



Merged-by: Allen Cook <acook@gitlab.com>
Approved-by: Olivier Gonzalez <ogonzalez@gitlab.com>
Approved-by: Allen Cook <acook@gitlab.com>
Co-authored-by: Alan (Maciej) Paruszewski <mparuszewski@gitlab.com>

ee/lib/gitlab/license_scanning/pipeline_components.rb

@@ -11,6 +11,7 @@ def fetch
         pipeline.sbom_reports.reports.flat_map do |sbom_report|
           sbom_report.components.map do |component|
             next unless component.purl
+            next unless supported_for_license_scanning?(component.purl.type)
 
             Hashie::Mash.new(name: component.name, purl_type: component.purl.type,
               version: component.version, path: sbom_report.source&.input_file_path)
@@ -21,6 +22,10 @@ def fetch
       private
 
       attr_reader :pipeline
+
+      def supported_for_license_scanning?(purl_type)
+        ::Enums::Sbom.dependency_scanning_purl_type?(purl_type)
+      end
     end
   end
 end

ee/spec/lib/gitlab/license_scanning/pipeline_components_spec.rb

@@ -10,6 +10,14 @@
     context 'when the pipeline has an sbom report' do
       let_it_be(:pipeline) { create(:ee_ci_pipeline, :with_cyclonedx_report, project: project) }
 
+      context 'and sbom components are not supported by license scanning' do
+        let_it_be(:pipeline) { create(:ee_ci_pipeline, :with_cyclonedx_container_scanning, project: project) }
+
+        it 'returns an empty list' do
+          expect(fetch).to be_empty
+        end
+      end
+
       context 'and some of the sbom components do not have purl values' do
         it 'returns a list with the expected size' do
           expected_number_of_components = pipeline.sbom_reports.reports.sum do |report|