Align license compliance `deny` classification outcome with user expectations [parent issue]
Problem to solve
Context: our license compliance feature allows the user to identify licenses with a classification of
deny. When new licenses are detected in a merge request, the results are displayed to the developer (a maintainer may apply or change classification in the MR). view example MR
Problem: the classification
deny does not actually deny a license from being merged. It displays that it is denied in the security report, but there is no enforcement of this applied policy. The user expectation for denying a license (prohibiting a specific license) is not the actual outcome when a denied license is discovered.
License-Check approval feature disallows the MR if a
denied license is detected (requires approval to proceed). The user is required to set up this feature in order to disallow
denied licenses. It's not explicitly clear to the user they would need to add this feature to enforce disallowing a denied license being merged. Additionally, it causes noise when the desired outcome is a disallowed MR, per
Proposal (design ideation)
denied license is detected, the merge request is disallowed until the license is removed. This rule is displayed explicitly to the developer so they know what action to take (remove the license).
|i. developer UX in MR when denied license detected||ii. Applying policy: specifies the outcome||iii. Key to clarify the policy definition/outcome||
i. only affects licenses that are newly detected
Permissions and Security
frontend (total weight: 9)
With a feature flag:
backend (total weight: 10)
Testing of issues around related area to be consolidated into SET ticket #220926 (moved)
What does success look like, and how can we measure that?
- Does the outcome of applying
deniedclassification to a license meet user expectations?
- When a developer is looking at MR with
deniedlicense: do they know what needs to be done to allow the merge to proceed?