Offline License Compliance - Ship offline copy of SPDX catalogue for omnibus

Problem to solve

Today we have a cron job that runs weekly to fetch the latest software license catalogue from SPDX. This catalogue includes identifiers for each software license that we use for matching detected software licenses.

In order to support airgap installations we need to be able to populate the software_licenses.spdx_identifier without connecting to https://spdx.org directly.

Intended users

Further details

The benefit is that self managed airgap installations do not need to allow outbound connections to https://spdx.org/licenses/licenses.json.

• job
• cron
• database column
• usage

Proposal

Update this code to parse an offline copy of the SPDX catalogue instead of reaching out to the internet in airgap mode.

Implementation Plan

• Create a rake task to fetch the latest version of https://spdx.org/licenses/licenses.json and store it in config/spdx.json. (Or find a more suitable location)
• Update this code to return new(JSON.parse(Rails.root.join('config/spdx.json')) if offline_env?
• Update documentation to describe how to use offline copy of the spdx.json catalogue in an offline environment; remove feature flag and add tests for rake task.

Permissions and Security

Documentation

Availability & Testing

Engineer to test solution manually.

SET to look into offline testing of SPDX

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.