Align license compliance `deny` classification outcome with user expectations [parent issue] (#196845) · Issues · GitLab.org / GitLab

Align license compliance `deny` classification outcome with user expectations [parent issue]

Problem to solve

Context: our license compliance feature allows the user to identify licenses with a classification of allow or deny. When new licenses are detected in a merge request, the results are displayed to the developer (a maintainer may apply or change classification in the MR). view example MR

Problem: the classification deny does not actually deny a license from being merged. It displays that it is denied in the security report, but there is no enforcement of this applied policy. The user expectation for denying a license (prohibiting a specific license) is not the actual outcome when a denied license is discovered.

📽 view current UX, problem overview, and proposal

Intended users

Further details

The License-Check approval feature disallows the MR if a denied license is detected (requires approval to proceed). The user is required to set up this feature in order to disallow denied licenses. It's not explicitly clear to the user they would need to add this feature to enforce disallowing a denied license being merged. Additionally, it causes noise when the desired outcome is a disallowed MR, per denied policy.

Proposal (design ideation)

When a denied license is detected, the merge request is disallowed until the license is removed. This rule is displayed explicitly to the developer so they know what action to take (remove the license).

earlier iteration

i. developer UX in MR when denied license detected	ii. Applying policy: specifies the outcome	iii. Key to clarify the policy definition/outcome	iv. `License-Check` option to allow approval for denied licenses (future consideration)

i. only affects licenses that are newly detected

Permissions and Security

...

Documentation

Implementation Plan

frontend (total weight: 9)

With a feature flag:

Prevent MR from being mergable in UI

Update text copy on license policy tab

Add tooltip and text copy to policy tab

backend (total weight: 10)

Make MR not mergeable if License Compliance has found denied licenses

Allow merge when License-Check approve denied licenses

Testing

Testing of issues around related area to be consolidated into SET ticket #220926

What does success look like, and how can we measure that?

Does the outcome of applying denied classification to a license meet user expectations?
When a developer is looking at MR with denied license: do they know what needs to be done to allow the merge to proceed?

What is the type of buyer?

Links / references

Related issue: #12937 (closed) Related epic: &2328

### Problem to solve

**Context:** our license compliance feature allows the user to identify licenses with a classification of `allow` or `deny`. When new licenses are detected in a merge request, the results are displayed to the developer (a maintainer may apply or change classification in the MR). [view example MR](https://gitlab.com/gitlab-examples/security/security-reports/merge_requests/15)

**Problem:** the classification `deny` does not actually deny a license from being merged. It displays that it is denied in the security report, but there is no enforcement of this applied policy. The user expectation for denying a license (prohibiting a specific license) is not the actual outcome when a denied license is discovered.

:film_projector: [view current UX, problem overview, and proposal ](https://youtu.be/G6bCoTch-3I)

### Intended users

* [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead)
* [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer)
* [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst)

### Further details

The `License-Check` approval feature disallows the MR if a `denied` license is detected (requires approval to proceed). The user is required to set up this feature in order to disallow `denied` licenses. It's not explicitly clear to the user they would need to add this feature to enforce disallowing a denied license being merged. Additionally, it causes noise when the desired outcome is a disallowed MR, per `denied` policy.
  
### Proposal (design ideation)
When a `denied` license is detected, the merge request is disallowed until the license is removed. This rule is displayed explicitly to the developer so they know what action to take (remove the license).

![overview](/uploads/3b268244c0a2a8af65a8310328181fcf/overview.png)

<details>
<summary>earlier iteration</summary>

| **i.** developer UX in MR when denied license detected | **ii.** Applying policy: specifies the outcome | **iii.** Key to clarify the policy definition/outcome | **iv.** `License-Check` option to allow approval for denied licenses (future consideration) |
| ------ | ------ | ------ | ------ |
| ![1](/uploads/b10f5f73879d793a933383d87685539e/1.png) | ![2](/uploads/b2cc7366aedef571cf226c2d6c046e3a/2.png) | ![3](/uploads/5aefd1523f051a8b6bd4a505345f2d40/3.png) | ![4c](/uploads/ba476d48319f2951f919086569d5494e/4c.png) |

**i.** only affects licenses that are newly detected

</details>

### Permissions and Security

...

### Documentation

### Implementation Plan

~frontend (total weight: 9)

With a feature flag:

[Prevent MR from being mergable in UI](https://gitlab.com/gitlab-org/gitlab/-/issues/214990)

[Update text copy on license policy tab](https://gitlab.com/gitlab-org/gitlab/-/issues/214992)

[Add tooltip and text copy to policy tab](https://gitlab.com/gitlab-org/gitlab/-/issues/214993)

~backend  (total weight: 10)

[Make MR not mergeable if License Compliance has found denied licenses](https://gitlab.com/gitlab-org/gitlab/-/issues/215891)

[Allow merge when `License-Check` approve denied licenses](https://gitlab.com/gitlab-org/gitlab/-/issues/215913)

### Testing

Testing of issues around related area to be consolidated into SET ticket https://gitlab.com/gitlab-org/gitlab/-/issues/220926

### What does success look like, and how can we measure that?

* Does the outcome of applying `denied` classification to a license meet user expectations?
* When a developer is looking at MR with `denied` license: do they know what needs to be done to allow the merge to proceed?

### What is the type of buyer?

### Links / references

Related issue: https://gitlab.com/gitlab-org/gitlab/issues/12937
Related epic: https://gitlab.com/groups/gitlab-org/-/epics/2328

Edited Jun 09, 2020 by Will Meek