Maven: Detect software licenses for dependencies sourced from a custom public repository
Problem to solve
Detect software licenses associated with dependencies declared in a pom.xml
that is sourced from a public maven repository. This specific issue will focus on pulling packages from this custom repository and will skip authentication.
Intended users
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
Further details
This change allows the retrieval of maven dependencies from non standard sources.
If a user enables the GitLab Maven Repository this could be included as a default source for pulling maven packages. No additional work should need to take place for users.
If a user chooses to fetch maven packages from a custom public maven repository, they can check a settings.xml
file into the git repository. This file can include custom repositories and can be used during the license scanning step by specifying the MAVEN_CLI_OPTS
environment variable.
Proposal
-
Add gitlab project to the list of default maven sources installed in $HOME/.m2/settings.xml
in the license scanning image. details -
Allow projects to specify a custom a settings.xml
to override the default$HOME/.m2/settings.xml
. details
Permissions and Security
- Authentication credentials is out of the scope of this issue.
- The gitlab ci job will need to be able to access the custom public maven repository or the gitlab maven repository.
Documentation
-
We will need to update the user documentation to describe how to specify custom maven repositories during the license scan.
Availability & Testing
-
Add integration tests for pulling dependencies from a public maven repository. -
Add integration tests for pulling dependencies from a group level maven endpoint -
Add integration tests for pulling dependencies from a project level maven endpoint. -
Add integration tests for pulling dependencies from an instance level maven endpoint.
What does success look like, and how can we measure that?
Acceptance Criteria:
-
license scanner can fetch dependencies from a project level maven repository -
license scanner can fetch dependencies from a group level maven repository -
license scanner can fetch dependencies from an instance level maven repository -
if a.gitlab/maven-settings.xml
is detected in the project this will override the$HOME/.m2/settings.xml
viamvn org.codehaus.mojo:license-maven-plugin:download-licenses -s .gitlab/maven-settings.xml
-
Document usage of passing credentials and a custom settings.xml
via theMAVEN_CLI_OPTS
variable.
What is the type of buyer?
A very bright and intelligent one. :)
Is this a cross-stage feature?
I don't think so.
Implementation Plan
-
Install $HOME/.m2/settings.xml
in the license scanning image. details https://gitlab.com/gitlab-org/security-products/license-management/-/merge_requests/120 -
Add maven profiles to $HOME/.m2/settings.xml
for project level repositories. https://gitlab.com/gitlab-org/security-products/license-management/-/merge_requests/120 -
Install the org.codehaus.mojo:license-maven-plugin
into$HOME/.m2/repository
at build time to prevent the need to download them at scan time. https://gitlab.com/gitlab-org/security-products/license-management/-/merge_requests/120 -
Update run.sh
to forward theMAVEN_CLI_OPTS
to LicenseFinder via--maven-options
. https://gitlab.com/gitlab-org/security-products/license-management/-/merge_requests/120 -
Document usage of passing credentials and a custom settings.xml
via theMAVEN_CLI_OPTS
!27456 (merged)