What does this MR do and why?

Adds the GraphQL disassociating mutation for the Maven virtual registry upstreams.

References

#590248

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Radamanthus Batnag (b6c9a76d) at 19 Mar 08:10

... and 1 more commit

Radamanthus Batnag (33481450) at 19 Mar 08:05

... and 2 more commits

Radamanthus Batnag (6bf1caad) at 19 Mar 06:56

@kiran-4444 Apologies, I see that the commits have been updated and squashed, but it looks like there is still a merge conflict and it is blocking a rebase.

Can you go through the Resolve locally steps to address the merge conflict? Thanks!

Thanks @kiran-4444 ! Happy to approve 👍 🚀

But I don't see any changes when I try to update the openapi ymls. That's ok, I guess only a rebase was needed to address the conflict.

What does this MR do and why?

This MR is a part of the discussion here. This MR deals with the package creation services and background worker for Cargo Registry MVC.

How to Verify Locally?

project = Project.first
user = User.first

name = 'my-crate'
version = '1.2.3'
sha256 = 'a' * 64
md5 = '567'
index_content = { name: name, vers: version, deps: [], cksum: "abcde123456" }

# The file named 'bananas.txt' should exist
content = UploadedFile.new('bananas.txt', filename: 'bananas.txt')

params = { name: name, version: version, index_content: index_content, content: content, file_sha25
6: sha256, file_md5: md5 }.with_indifferent_access

Packages::Cargo::CreatePackageService.new(project, user, params).execute

💾 Database Review

TRANSACTION (0.2ms)
BEGIN
    Packages::Cargo::Metadatum EXISTS ? (1.0ms
)
SELECT
    1 AS one
FROM
    "packages_cargo_metadata"
WHERE
    "packages_cargo_metadata"."project_id" = 1
        AND "packages_cargo_metadata"."normalized_name" = 'test-crate-2'
        AND "packages_cargo_metadata"."normalized_version" = '1.0.0'
    LIMIT 1
    /*application:console,db_config_database:gitlabhq_development,db_config_name:main,console_hostname:gdk.local,console_username:gdk,line:(pry):5:in `__pry__'*/
    Packages::Cargo::Metadatum CREATE (
        0.9ms)
INSERT INTO "packages_cargo_metadata" (
    "package_id", "index_content", "project_id", "normalized_name", "normalized_version", "created_at", "updated_at")
    VALUES (
        29, '{"name":"test-crate-2","vers":"1.0.0","deps":[],"cksum":"abc123"}', 1, 'test-crate-2', '1.0.0', '2025-11-03 10:55:47.919856', '2025-11-03 10:55:47.919856')
RETURNING
    "package_id"
    /*application:console,db_config_database:gitlabhq_development,db_config_name:main,console_hostname:gdk.local,console_username:gdk,line:(pry):5:in `__pry__'*/
    TRANSACTION (
        0.2ms)
    COMMIT

@mfanGitLab Could you do the maintainer review for devopsverify?

Thanks @zmartins !

backend LGTM, happy to approve 👍 🚀

What does this MR do and why?

Add files into sbom sources model and into the parser.

Parser

> pipeline.sbom_reports.reports.map(&:source)
=> [#<Gitlab::Ci::Reports::Sbom::Source:0x000000014445afc0
  @data=
   {"input_file"=>{"path"=>"subdir1/Gemfile.lock"},
    "package_manager"=>{"name"=>"bundler"},
    "files"=>
     [{"path"=>"subdir1/Gemfile", "type"=>"requirements", "in_repository"=>true},
      {"path"=>"subdir1/Gemfile.lock", "type"=>"lockfile", "in_repository"=>true}]},
  @source_type=:dependency_scanning>]

Model

> project.sbom_occurrences.first.source
=> #<Sbom::Source:0x0000000138bf0b60
 id: 934,
 created_at: "2026-03-07 00:52:17.621019000 +0000",
 updated_at: "2026-03-07 00:52:17.621019000 +0000",
 source_type: "dependency_scanning",
 source:
  {"files"=>[{"path"=>"subdir1/Gemfile", "type"=>"requirements", "in_repository"=>true}, {"path"=>"subdir1/Gemfile.lock", "type"=>"lockfile", "in_repository"=>true}], "input_file"=>{"path"=>"subdir1/Gemfile.lock"}, "package_manager"=>{"name"=>"bundler"}},
 organization_id: 1>

References

Related to #592107

Screenshots or screen recordings

How to set up and validate locally

1. Create a project with the following files:

.gitlab-ci.yml:

dependency_scanning:
  stage: test
  script:
    - echo "ingestion job"
  artifacts:
    access: 'developer'
    reports:
      cyclonedx: gl-sbom.cdx.json

gl-sbom.cdx.json: gl-sbom.cdx.json

2. Make sure that a pipeline is run for the default branch.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Thanks for testing, @fmccawley !

This is also counter-intuitive to me. I had to dig into the curl man pages. 😃

• curl -f -> returns exit code 22
• curl -> no -f -> returns exit code 0 even on HTTP 4xx/5xx - A "no errors" result, because it made the request and delivered the response

Claude lectured me on this 😅 curl's job is to transfer data and a 4xx/5xx response is still a successful data transfer!

Thanks @zmartins !

✅ Worked as expected on local testing - pipeline ran without errors.

I left some small suggestions for the code and the specs. Let me know what you think.

The context name suggests a name guard but we do not have one, and the component is actually getting skipped by the type guard:

next unless VALID_FILE_TYPES.include?(file_props['type'])

We can update the test input here to include a valid type property.

          'components' => [
            { 
              'type' => 'file', 
              'bom-ref' => 'file:unnamed',
              'properties' => [
                { 'name' => 'gitlab:dependency_scanning:file:type', 'value' => 'lockfile' }
              ]   
            }
          ]

The spec will fail with this suggestion - see the suggestion in ee/lib/gitlab/ci/parsers/sbom/cyclonedx_metadata_component.rb.

Should we add a guard here to catch a nil comp['name']? (🤔 Actually the line is a better fit before or after line 38).

next unless comp['name'].present?

Without a guard, .compact will strip the path key which will which will cause a silent schema validation failure downstream.

Does it make sense to add a spec for this in source_spec.rb? Similar to the name length check we have in ee/spec/models/security/orchestration_policy_configuration_spec.rb

What does this MR do and why?

Adds the GraphQL disassociating mutation for the Maven virtual registry upstreams.

References

#590248

Screenshots or screen recordings

How to set up and validate locally

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Thanks @fmccawley ! 🙇

I added a commit to address the undercoverage.

As for the unexpected 404, I realized the mistake is on my end - sorry!

My GDK setup: 127.0.0.1 gdk.test registry.test

Very likely your GDK setup: 172.16.123.1 gdk.test registry.test with listen_address: 172.16.123.1

Requests reach GDK from 172.16.123.1, not 127.0.0.1. The instructions say to restrict the group to 127.0.0.1/32, so when the developer user (non-admin) makes a request, their IP (172.16.123.1) is outside the allowlist and GitLab returns 404 Project Not Found.

I updated the instructions for creating the IP restriction.

Radamanthus Batnag (77abb088) at 18 Mar 03:42

Thanks @harvie @Andyschoenen ! Re-approving 🚀