Maven: Detect software licenses for dependencies sourced from a custom private authenticated repository
Problem to solve
License scanning needs to be able to detect software licenses associated with dependencies that originate from custom private authenticated maven repositories. These types of repositories are authenticated with username/password credentials. Storing credentials in the git repository is unsafe and not ideal. We need to provide a way for users to specify custom maven repository servers and the associated credentials for those servers.
Intended users
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
Further details
Credentials to access a private maven repository can be supplied in a custom settings.xml
file.
Proposal
-
Add documentation to describe how to provide a custom settings.xml
file to be used bymaven
. !27456 (merged) -
Forward MAVEN_CLI_OPTS
to LicenseFinder so that it can use a customsettings.xml
file. https://gitlab.com/gitlab-org/security-products/license-management/-/merge_requests/120
Permissions and Security
We will not store credentials. Instead we will provide documentation so that users are aware of how to pass credentials to the license_scanning
job so that private authenticated maven repositories can be used.
Documentation
We will document how to specify custom maven settings to maven via the settings.xml file.
Availability & Testing
-
Add integration test to demonstrate how to pass a custom settings.xml file to the license_scanning job.
What does success look like, and how can we measure that?
-
The license_scanning
job is able to detect software licenses associated with a package that originates from a private maven repository.
What is the type of buyer?
TBD
Is this a cross-stage feature?
No