License Compliance Approvals in Merge Request MVC - disallow merging with blacklisted licenses
Problem to solve
Currently, the license compliance section in the merge request widget only displays newly detected licenses (blacklist, approved, unclassified). Blacklisted licenses are able to be merged without any permission or notification. Need to disallow
blacklisted licenses that are newly committed/detected in a merge request.
Smaller to mid size orgs
- Software Asset Manager (wiki) or user responsible for license compliance
License compliance user job to be done
- User who may be adding licenses via commit: "When my organization has license compliance rules to follow I want to be able to whitelist or blacklist licenses so that I can ensure any new code merged in a project is in compliance". gitlab-design#402 (closed)
- User that is accountable for compliance: "When new licenses are added to a project I want to be aware so I can commit work that is compliant with my organization's rules". gitlab-design#402 (closed)
We are leveraging the approver's group feature to disallow an MR that detects a newly introduced blacklisted license (similar as #9928 (closed)). This is for users that are accountable for license compliance (currently: project Maintainer only can change License Management settings).
1. User blacklists a specific license in the license compliance area, which is currently in Project Settings > CI/CD > License Management (example: https://gitlab.com/gitlab-examples/security/security-reports/-/settings/ci_cd). Note: this assumes that the feature has been configured correctly, there is a UX issue here: #12685
4. Once the
License-Check is active, here is how it’d look in the MR widget (approvals section):
|Blacklisted licenses are detected, approval required||Hover on
||Approval not required (no newly detected blacklisted license detected)||
frontend note: add tooltip for
5. The license detection section in MR, when a blacklisted license(s) are found: additional info text states "approval required", with
? as seen in 5b, that helps user understand why the MR is blocked.
Permissions and Security
- Security approvals backend implementation video walkthrough
What does success look like, and how can we measure that?
What is the type of buyer?
Links / references
- #9928 (closed)
- #9928 (comment 190385002)
- To see what our current baseline license compliance UX looks like, see the following issues:
- Add "License-Check" approval rule to backend code to enforce policy
- Display "approval required" status in the MR, when rule is not satisfied
- Add License-Check approval rule to the list of approvers in the MR.
- Display tooltip and help icon when "Licence-Check" approval rule is added in Settings > General.
- Add the proper documentation/user guides to use this new feature.
- Ensure new code is behind a feature flag.