Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 46,782
    • Issues 46,782
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1,526
    • Merge requests 1,526
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #196845
Closed
Open
Issue created Jan 15, 2020 by Kyle Mann@kmannContributor

Align license compliance `deny` classification outcome with user expectations [parent issue]

Problem to solve

Context: our license compliance feature allows the user to identify licenses with a classification of allow or deny. When new licenses are detected in a merge request, the results are displayed to the developer (a maintainer may apply or change classification in the MR). view example MR

Problem: the classification deny does not actually deny a license from being merged. It displays that it is denied in the security report, but there is no enforcement of this applied policy. The user expectation for denying a license (prohibiting a specific license) is not the actual outcome when a denied license is discovered.

📽 view current UX, problem overview, and proposal

Intended users

  • Delaney (Development Team Lead)
  • Sasha (Software Developer)
  • Sam (Security Analyst)

Further details

The License-Check approval feature disallows the MR if a denied license is detected (requires approval to proceed). The user is required to set up this feature in order to disallow denied licenses. It's not explicitly clear to the user they would need to add this feature to enforce disallowing a denied license being merged. Additionally, it causes noise when the desired outcome is a disallowed MR, per denied policy.

Proposal (design ideation)

When a denied license is detected, the merge request is disallowed until the license is removed. This rule is displayed explicitly to the developer so they know what action to take (remove the license).

overview

earlier iteration
i. developer UX in MR when denied license detected ii. Applying policy: specifies the outcome iii. Key to clarify the policy definition/outcome iv. License-Check option to allow approval for denied licenses (future consideration)
1 2 3 4c

i. only affects licenses that are newly detected

Permissions and Security

...

Documentation

Implementation Plan

frontend (total weight: 9)

With a feature flag:

Prevent MR from being mergable in UI

Update text copy on license policy tab

Add tooltip and text copy to policy tab

backend (total weight: 10)

Make MR not mergeable if License Compliance has found denied licenses

Allow merge when License-Check approve denied licenses

Testing

Testing of issues around related area to be consolidated into SET ticket #220926 (moved)

What does success look like, and how can we measure that?

  • Does the outcome of applying denied classification to a license meet user expectations?
  • When a developer is looking at MR with denied license: do they know what needs to be done to allow the merge to proceed?

What is the type of buyer?

Links / references

Related issue: #12937 (closed) Related epic: &2328 (closed)

Edited Jun 09, 2020 by Will Meek
Assignee
Assign to
Time tracking