Offline License Compliance - Ship offline copy of SPDX catalogue for omnibus

Problem to solve

Today we have a cron job that runs weekly to fetch the latest software license catalogue from SPDX. This catalogue includes identifiers for each software license that we use for matching detected software licenses.

In order to support airgap installations we need to be able to populate the software_licenses.spdx_identifier without connecting to https://spdx.org directly.

Intended users

Further details

The benefit is that self managed airgap installations do not need to allow outbound connections to https://spdx.org/licenses/licenses.json.

• job
• cron
• database column
• usage

Proposal

Update this code to parse an offline copy of the SPDX catalogue instead of reaching out to the internet in airgap mode.

Implementation Plan

• Create a rake task to fetch the latest version of https://spdx.org/licenses/licenses.json and store it in config/spdx.json. (Or find a more suitable location)
• Update this code to return new(JSON.parse(Rails.root.join('config/spdx.json')) if offline_env?
• Update documentation to describe how to use offline copy of the spdx.json catalogue in an offline environment; remove feature flag and add tests for rake task.

Permissions and Security

Documentation

Availability & Testing

Engineer to test solution manually.

SET to look into offline testing of SPDX

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references