GitLab License finder
Softwares nowadays use a lot of external libraries. It's a hard problem to make sure those libraries do not have a copyleft license that would cause problems for the company which is using them without being aware of the true nature of their licenses. The financial and legal risks can be incredibly important.
We know big corporations have dedicated legal teams to check the licenses of everything they use internally. We want to help those companies by automatically checking all the dependencies they have with their software and analyzing their licenses.
These automated checks will be performed by a new Product, GitLab License Finder.
GitLab License Finder checks all your open source dependencies against a license whitelist and notify you about violations.
GitLab License Finder is based on package managers, like NPM, Bundler, Composer, PIP.
License violation check in GitLab
Note: the first iteration is based on the licence_finder gem we already use at GitLab. This will cover the following languages right out of the box: Ruby, Python, Node.js, Java, "everything covered by Bower" (JS/CSS to some extent), Swift, Objective-C, Erlang, go. To cover other languages, we will need to iterate on this feature.
- This feature is activated by default on all projects.
- Per project, you can deactivate the feature, and also define a list of licenses your dependencies can not use. List of licenses can be found here.
- By default a list of unacceptable copyleft licenses is loaded (https://gitlab.com/snippets/1548385)
On every commit in a MR, we run the
license_findergem to automatically find external dependencies license information of the project. We will support all the package managers already supported by this gem.
If a violation occurs, MR is blocked and user has to take action to change their License policy. we show a message
These libraries failed licenses: middleman (MIT), ...
If no violation occurs, we display a message
All licenses passed
- If the merge is attempted through CLI and we detect a license violates our list, we display a message through git informing that the merge can’t happen.
- This feature is only available to instances which are EE Premium
|Settings||License Finder passed||License Finder failed|
Links / references
- VersionEye initial issue: #744 (closed)