Align license compliance `deny` classification outcome with user expectations [parent issue]
Problem to solve
Context: our license compliance feature allows the user to identify licenses with a classification of allow
or deny
. When new licenses are detected in a merge request, the results are displayed to the developer (a maintainer may apply or change classification in the MR). view example MR
Problem: the classification deny
does not actually deny a license from being merged. It displays that it is denied in the security report, but there is no enforcement of this applied policy. The user expectation for denying a license (prohibiting a specific license) is not the actual outcome when a denied license is discovered.
Intended users
Further details
The License-Check
approval feature disallows the MR if a denied
license is detected (requires approval to proceed). The user is required to set up this feature in order to disallow denied
licenses. It's not explicitly clear to the user they would need to add this feature to enforce disallowing a denied license being merged. Additionally, it causes noise when the desired outcome is a disallowed MR, per denied
policy.
Proposal (design ideation)
When a denied
license is detected, the merge request is disallowed until the license is removed. This rule is displayed explicitly to the developer so they know what action to take (remove the license).
earlier iteration
i. only affects licenses that are newly detected
Permissions and Security
...
Documentation
Implementation Plan
frontend (total weight: 9)
With a feature flag:
Prevent MR from being mergable in UI
Update text copy on license policy tab
Add tooltip and text copy to policy tab
backend (total weight: 10)
Make MR not mergeable if License Compliance has found denied licenses
Allow merge when License-Check
approve denied licenses
Testing
Testing of issues around related area to be consolidated into SET ticket #220926 (moved)
What does success look like, and how can we measure that?
- Does the outcome of applying
denied
classification to a license meet user expectations? - When a developer is looking at MR with
denied
license: do they know what needs to be done to allow the merge to proceed?
What is the type of buyer?
Links / references
Related issue: #12937 (closed) Related epic: &2328 (closed)