Plan and Refine: License Compliance: URL used as license name
Summary
If we only know the url of a dependency, we should display the URL, but truncate it as needed (define column-width), then display a popover. The popover is so the user could copy and paste the URL.
When the license detection parses a URL from the dependency metadata it does not make any attempt to download the license at the specified URL to try to determine the license. The URL ends up being pushed up into the name field in the license scanning report. This occurs more often for .NET projects. Line.
If the URL is known and has a matching SPDX identifier than it can be added to the list of licenses here.
Steps to reproduce
- Create a .NET project.
- Add a dependency.
- Run the
license_scanningjob
Example Project
Some of our integration tests already document this behaviour.
- https://gitlab.com/gitlab-org/security-products/license-management/-/blob/d65dd61597375bfd6e6953fd4d0990a836fc3503/spec/fixtures/expected/csharp/nuget-dotnetcore/v2.0.json#L24
- https://gitlab.com/gitlab-org/security-products/license-management/-/blob/d65dd61597375bfd6e6953fd4d0990a836fc3503/spec/fixtures/expected/csharp/nuget-dotnetcore/v2.0.json#L48
What is the current bug behavior?
When a URL to a software license is identified for a .NET based project the name that is reported for the license is used to represent the name of the license. The name field is then used to allow/deny this license if it matches a user entered software license policy.
What is the expected correct behavior?
If the software license has an equivalent SPDX identifier than the name associated with the license should be displayed. Otherwise, the only way that customers can block this specific license is if we provide the url in the name field in the license scan report. So I'm not sure what the correct behavior is.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com.
Possible fixes
-
display the URL, but truncate it as needed (define column-width), then display a popover [ ] Add known Microsoft license urls to the the list of normalized licenses[ ] Map nonstandard licenses that are not in the SPDX catalogue so that they appear in the scan report using a consistent name and unique GitLab specific identifier until these licenses are added to the SPDX catalogue.
Add the list of known Microsoft licenses to https://gitlab.com/gitlab-org/security-products/license-management/-/blob/master/normalized-licenses.yml and give them the matching SPDX identifer or use Nonstandard which is the convention used in rubygems.