diff --git a/ee/lib/gitlab/license_scanning/pipeline_components.rb b/ee/lib/gitlab/license_scanning/pipeline_components.rb
index 518fc25f323c0802639b455dfa962e85b73c795b..8144a96f1be3f6b75e680fd9536f11d18aa8d5f0 100644
--- a/ee/lib/gitlab/license_scanning/pipeline_components.rb
+++ b/ee/lib/gitlab/license_scanning/pipeline_components.rb
@@ -11,6 +11,7 @@ def fetch
pipeline.sbom_reports.reports.flat_map do |sbom_report|
sbom_report.components.map do |component|
next unless component.purl
+ next unless supported_for_license_scanning?(component.purl.type)
Hashie::Mash.new(name: component.name, purl_type: component.purl.type,
version: component.version, path: sbom_report.source&.input_file_path)
@@ -21,6 +22,10 @@ def fetch
private
attr_reader :pipeline
+
+ def supported_for_license_scanning?(purl_type)
+ ::Enums::Sbom.dependency_scanning_purl_type?(purl_type)
+ end
end
end
end
diff --git a/ee/spec/lib/gitlab/license_scanning/pipeline_components_spec.rb b/ee/spec/lib/gitlab/license_scanning/pipeline_components_spec.rb
index bfa2b8ec6c931e8f1716c167697bbebb63a869aa..d870e1b0efa8eff0aaca54fbb810315ef0fea1ae 100644
--- a/ee/spec/lib/gitlab/license_scanning/pipeline_components_spec.rb
+++ b/ee/spec/lib/gitlab/license_scanning/pipeline_components_spec.rb
@@ -10,6 +10,14 @@
context 'when the pipeline has an sbom report' do
let_it_be(:pipeline) { create(:ee_ci_pipeline, :with_cyclonedx_report, project: project) }
+ context 'and sbom components are not supported by license scanning' do
+ let_it_be(:pipeline) { create(:ee_ci_pipeline, :with_cyclonedx_container_scanning, project: project) }
+
+ it 'returns an empty list' do
+ expect(fetch).to be_empty
+ end
+ end
+
context 'and some of the sbom components do not have purl values' do
it 'returns a list with the expected size' do
expected_number_of_components = pipeline.sbom_reports.reports.sum do |report|