Add license list to "Security and Compliance" nav section
Problem to solve
There isn't a license list visible to project users. The dependency list will show licenses that a dependency has (#10536 (closed)), but it is also beneficial to show licenses individually (with affiliated components).
Further context: currently, licenses may be marked blacklisted or approved by a maintainer/owner in settings > CI/CD > License Management. If a license was marked blacklisted, a project participant would only be aware if they commit a license and it is newly detected in the merge request (see another issue: #13489). Other than the MR, there is no other visibility to users regarding what licenses are present (viewed by license) and what classifications they have (if any).
Benefits to the user:
- Brings visibility to license detected in the project for all project participants
- Identifying where licenses (and affiliated dependencies) exist. If the user needs to remove dependencies, this could help them find them.
Issue contributes as a step toward vision:
- Internal auditing and record-keeping for compliance users
- Display license policies to all participants, such as blacklist/approved (https://gitlab.com/gitlab-org/gitlab-ee/issues/12941)
- User ability to share the list with others (https://gitlab.com/gitlab-org/gitlab-ee/issues/13995)
|Info architecture||List view||View component|
|Add license list - information architecture, list accessible in the nav menu (https://gitlab.com/gitlab-org/gitlab-ee/issues/12250)||MVC displays licenses that exist in a project. Anchor license name to documentation URL and
||Flow: user clicking the component link in table or X more (using https://gitlab.com/gitlab-org/gitlab-ee/issues/10536 pattern implemented by @dpisek). Title in the modal displays the name of the license.|
|Latest pipeline||Visual||Empty state||Component link issue|
|Text displays the latest default branch pipeline that succeeded by time - the time stamp follows common pattern, with timestamp display on hover||Note the subtext under header, which aims to clarify to the user what data is being shown and when it's updated ("latest pipeline" anchors to pipeline page) - adding similar helper text and link in dependency list #12190 (closed)||Empty state display, when feature is not set up or not license discovered. Button links to license compliance documentation page / other issues addressing this: #13992 (closed) and #12685 (closed). Visual image above text is the same as used on the dependency list empty state page||There is an issue with displaying component links, as there are different configuration and supporting languages between license/dependency list. In these cases, some components will not have links (display as non-anchored text) and may not have component information at all (display
Permissions and Security
All project participants may view the license list https://gitlab.com/gitlab-org/gitlab-ee/issues/13247#note_204445041
What does success look like, and how can we measure that?
- User is able to find and discover the license list
- User is able to identify affiliated dependencies with the license
Updated: testing in progress: ux-research#360 (closed)
What is the type of buyer?
- Permissions for the page
License scanningreport and present information in the eligible format.
- Create endpoint that response with needed data.
- Add new page in docs
- Add mention of this page on https://docs.gitlab.com/ee/user/application_security/license_compliance/index.html
- Update permission list with new permissions
- setup up rails route, controller, view with feature flag and permissions check
- Add license list
- Make row links clickable - (open modal for components, link to license when clicking name)
Links / references
Follow up issues:
- UX baseline recommendation epic reference: &1618