Add license list to "Security and Compliance" nav section
Problem to solve
There isn't a license list visible to project users. The dependency list will show licenses that a dependency has (#10536 (closed)), but it is also beneficial to show licenses individually (with affiliated components).
Further context: currently, licenses may be marked blacklisted or approved by a maintainer/owner in settings > CI/CD > License Management. If a license was marked blacklisted, a project participant would only be aware if they commit a license and it is newly detected in the merge request (see another issue: #13489 (closed)). Other than the MR, there is no other visibility to users regarding what licenses are present (viewed by license) and what classifications they have (if any).
Intended users
- Delaney, Development team lead
- Sam, Security analyst
- User responsible for compliance
Further details
Benefits to the user:
- Brings visibility to license detected in the project for all project participants
- Identifying where licenses (and affiliated dependencies) exist. If the user needs to remove dependencies, this could help them find them.
Issue contributes as a step toward vision:
- Internal auditing and record-keeping for compliance users
- Display license policies to all participants, such as blacklist/approved (https://gitlab.com/gitlab-org/gitlab-ee/issues/12941)
- User ability to share the list with others (https://gitlab.com/gitlab-org/gitlab-ee/issues/13995)
Proposal
| Info architecture | List view | View component |
|---|---|---|
 |
 |
 |
| Add license list - information architecture, list accessible in the nav menu (https://gitlab.com/gitlab-org/gitlab-ee/issues/12250) | MVC displays licenses that exist in a project. Anchor license name to documentation URL and ? icon by header anchors to license compliance documentation (both open new browser window) |
Flow: user clicking the component link in table or X more (using https://gitlab.com/gitlab-org/gitlab-ee/issues/10536 pattern implemented by @dpisek). Title in the modal displays the name of the license. |
| Latest pipeline | Visual | Empty state | Component link issue |
|---|---|---|---|
 |
 |
 |
 |
| Text displays the latest default branch pipeline that succeeded by time - the time stamp follows common pattern, with timestamp display on hover | Note the subtext under header, which aims to clarify to the user what data is being shown and when it's updated ("latest pipeline" anchors to pipeline page) - adding similar helper text and link in dependency list #12190 (closed) | Empty state display, when feature is not set up or not license discovered. Button links to license compliance documentation page / other issues addressing this: #13992 (closed) and #12685 (closed). Visual image above text is the same as used on the dependency list empty state page | There is an issue with displaying component links, as there are different configuration and supporting languages between license/dependency list. In these cases, some components will not have links (display as non-anchored text) and may not have component information at all (display -) |
Permissions and Security
All project participants may view the license list https://gitlab.com/gitlab-org/gitlab-ee/issues/13247#note_204445041
Documentation
https://docs.gitlab.com/ee/user/application_security/license_compliance/index.html
Testing
TODO
What does success look like, and how can we measure that?
- User is able to find and discover the license list
- User is able to identify affiliated dependencies with the license
Updated: testing in progress: ux-research#360 (closed)
What is the type of buyer?
Ultimate
Implementation plan
Backend #14732 (closed)
- Permissions for the page
- Parse
License scanningreport and present information in the eligible format. - Create endpoint that response with needed data.
Frontend
- Add new page in docs
- Add mention of this page on https://docs.gitlab.com/ee/user/application_security/license_compliance/index.html
- Update permission list with new permissions
Bootstrap Vue App #33012 (closed)
- setup up rails route, controller, view with feature flag and permissions check
Add license list, modals, and links #33606 (closed)
- Add license list
- Make row links clickable - (open modal for components, link to license when clicking name)
Documentation #14733 (closed)
Links / references
Follow up issues:
- https://gitlab.com/gitlab-org/gitlab-ee/issues/12941
- https://gitlab.com/gitlab-org/gitlab-ee/issues/7149#note_206679825
- https://gitlab.com/gitlab-org/gitlab-ee/issues/13995
Related:
- https://gitlab.com/gitlab-org/gitlab-ee/issues/12937
- https://gitlab.com/gitlab-org/gitlab-ee/issues/10534#note_208540926
- UX baseline recommendation epic reference: &1618 (closed)