GitLab License management
Description
Softwares nowadays use a lot of external libraries. It's a hard problem to make sure those libraries do not have a copyleft license that would cause problems for the company which is using them without being aware of the true nature of their licenses. The financial and legal risks can be incredibly important.
We know big corporations have dedicated legal teams to check the licenses of everything they use internally. We want to help those companies by automatically checking all the dependencies they have with their software and analyzing their licenses.
These automated checks will be performed by a new Product, GitLab License Finder.
Proposal
GitLab License Finder checks all your open source dependencies against a license whitelist and notify you about violations.
GitLab License Finder is based on package managers, like NPM, Bundler, Composer, PIP.
License violation check in GitLab
Note: the first iteration is based on the licence_finder gem we already use at GitLab. This will cover the following languages right out of the box: Ruby, Python, Node.js, Java, "everything covered by Bower" (JS/CSS to some extent), Swift, Objective-C, Erlang, go. To cover other languages, we will need to iterate on this feature.
-
This feature is activated by default on all projects. -
Per project, you can deactivate the feature, and also define a list of licenses your dependencies can not use. List of licenses can be found here. -
By default a list of unacceptable copyleft licenses is loaded (https://gitlab.com/snippets/1548385) -
On every commit in a MR, we run the license_finder
gem to automatically find external dependencies license information of the project. We will support all the package managers already supported by this gem. -
If a violation occurs, MR is blocked and user has to take action to change their License policy. we show a message These libraries failed licenses: middleman (MIT), ...
-
If no violation occurs, we display a message All licenses passed
-
If the merge is attempted through CLI and we detect a license violates our list, we display a message through git informing that the merge can’t happen. -
This feature is only available to instances which are EE Premium
Design
Settings | License Finder failed | License Finder passed |
---|---|---|
Links / references
- VersionEye initial issue: https://gitlab.com/gitlab-org/gitlab-ee/issues/744
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.