Skip to content

GitLab Next

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 43,062
    • Issues 43,062
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1,351
    • Merge requests 1,351
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.org
  • GitLabGitLab
  • Issues
  • #212388
Closed
Open
Created Mar 24, 2020 by xlg@xlgmokhaContributor1 of 3 tasks completed1/3 tasks

Offline License Compliance - Ship offline copy of SPDX catalogue for omnibus

Problem to solve

Today we have a cron job that runs weekly to fetch the latest software license catalogue from SPDX. This catalogue includes identifiers for each software license that we use for matching detected software licenses.

In order to support airgap installations we need to be able to populate the software_licenses.spdx_identifier without connecting to https://spdx.org directly.

Intended users

Further details

The benefit is that self managed airgap installations do not need to allow outbound connections to https://spdx.org/licenses/licenses.json.

  • job
  • cron
  • database column
  • usage

Proposal

Update this code to parse an offline copy of the SPDX catalogue instead of reaching out to the internet in airgap mode.

Implementation Plan

  • Create a rake task to fetch the latest version of https://spdx.org/licenses/licenses.json and store it in config/spdx.json. (Or find a more suitable location)
  • Update this code to return new(JSON.parse(Rails.root.join('config/spdx.json')) if offline_env?
  • Update documentation to describe how to use offline copy of the spdx.json catalogue in an offline environment; remove feature flag and add tests for rake task.

Permissions and Security

Documentation

Availability & Testing

Engineer to test solution manually.

SET to look into offline testing of SPDX

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references

Edited Aug 13, 2020 by Tetiana Chupryna
Assignee
Assign to
Time tracking