Bower JavaScript air-gapped (offline) License Compliance

Problem to solve

Detect software licenses associated with dependencies declared using bower the same way we do today for online instances, in an offline instance relying on a proxied or locally hosted custom repository.

If possible this will deal with setting both address and optional authentication. If needed pop authentication into it's own issue.

Intended users

• Sasha (Software Developer)
• Devon (DevOps Engineer)
• Sidney (Systems Administrator)

Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/

Further details

This change allows the retrieval of pip dependencies from non standard sources.

This is to support users in offline GitLab self-hosted instances

Proposal

Permissions and Security

same users today who can setup license scanning can set it up.

the repository may or may not be authenticated

Documentation

We will need to update user documentation

Availability & Testing

Manual: Use the existing GCP environment

Automated: Please work with Quality to make sure we have coverage as we must avoid regression

What does success look like, and how can we measure that?

after following documentation it does not require an internet connection to run a scan and provide results.

What is the type of buyer?

Heavily regulated industry, highly secretive organizations, and those with poor connectivity.

Is this a cross-stage feature?

no

Implementation Plan

• [ ] Set up a custom bower registry in the Offline test environment. [bower/registry](https://github.com/bower/registry)
• Exclude devDependencies from scan results. https://gitlab.com/gitlab-org/security-products/license-management/-/merge_requests/150
• Add integration test(s) to fetch dependencies from a custom bower registry. https://gitlab.com/gitlab-org/security-products/license-management/-/merge_requests/150
• Add integrations test(s) to verify that dependencies can be installed from a custom bower registry served with a custom self signed TLS certificate that is not in the default root certificate authority trust store. https://gitlab.com/gitlab-org/security-products/license-management/-/merge_requests/150
• Add documentation to describe any special setup or configuration required for fetching dependencies from a custom bower registry. Example !32706 (merged)
• Add documentation to describe any setup required for working in an offline environment. Example !32706 (merged)
• Add example project to templates https://gitlab-airgap-test.us-west1-b.c.group-secure-a89fe7.internal/templates/js-bower

Links / references