Offline License Compliance - Ship offline copy of SPDX catalogue for omnibus
Problem to solve
Today we have a cron job that runs weekly to fetch the latest software license catalogue from SPDX. This catalogue includes identifiers for each software license that we use for matching detected software licenses.
In order to support airgap installations we need to be able to populate the software_licenses.spdx_identifier
without connecting to https://spdx.org
directly.
Intended users
Further details
The benefit is that self managed airgap installations do not need to allow outbound connections to https://spdx.org/licenses/licenses.json
.
Proposal
Update this code to parse an offline copy of the SPDX catalogue instead of reaching out to the internet in airgap mode.
Implementation Plan
-
Create a rake task to fetch the latest version of https://spdx.org/licenses/licenses.json
and store it inconfig/spdx.json
. (Or find a more suitable location) -
Update this code to return new(JSON.parse(Rails.root.join('config/spdx.json')) if offline_env?
-
Update documentation to describe how to use offline copy of the spdx.json
catalogue in an offline environment; remove feature flag and add tests for rake task.
Permissions and Security
Documentation
Availability & Testing
Engineer to test solution manually.
SET to look into offline testing of SPDX