Offline License Compliance - Ship offline copy of SPDX catalogue for omnibus
Problem to solve
Today we have a cron job that runs weekly to fetch the latest software license catalogue from SPDX. This catalogue includes identifiers for each software license that we use for matching detected software licenses.
In order to support airgap installations we need to be able to populate the software_licenses.spdx_identifier
without connecting to https://spdx.org
directly.
Intended users
Further details
The benefit is that self managed airgap installations do not need to allow outbound connections to https://spdx.org/licenses/licenses.json
.
Proposal
Update this code to parse an offline copy of the SPDX catalogue instead of reaching out to the internet in airgap mode.
Implementation Plan
-
Create a rake task to fetch the latest version of https://spdx.org/licenses/licenses.json
and store it inconfig/spdx.json
. (Or find a more suitable location) -
Update this code to return new(JSON.parse(Rails.root.join('config/spdx.json')) if offline_env?
-
Update documentation to describe how to use offline copy of the spdx.json
catalogue in an offline environment; remove feature flag and add tests for rake task.
Permissions and Security
Documentation
Availability & Testing
Engineer to test solution manually.
SET to look into offline testing of SPDX
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Links / references
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.