Move license-management project to analyzers/license-finder
Problem to solve
License Compliance feature is currently relying on one unique tool called License Finder. Like other security features before, this tool is wrapped in a single "top-level" project: https://gitlab.com/gitlab-org/security-products/license-management.
Though, while we've migrated all tools to dedicated analyzers, we haven't done it yet for license-management (nor for dast which has its own issue).
This creates inconsistencies that block stage wide initiatives in UX and engineering.
Intended users
Further details
Even if we have a single tool to provide license compliance today, we might replace it, add new ones someday or even break this one down into per language analyzer. We also want to support 3rd party integrations so moving to an architecture that is made for it will make things simpler for everyone.
Proposal
-
-
in %13.0 initiate the migration from a user perspective: -
create https://gitlab.com/gitlab-org/security-products/analyzers/license-finder project, with just a README -
add instructions in the current release job for license-management to create docker image tag aliases and push additionally under https://gitlab.com/gitlab-org/security-products/analyzers/license-finder -
update the vendored templates and documentation to point to the new image -
deprecate the usage of docker images under https://gitlab.com/gitlab-org/security-products/license-management in documentation
-
-
-
-
whenever CA team has time, effectively migrate the content of license-management project into the new location: https://gitlab.com/gitlab-org/security-products/analyzers/license-finder -
clone repo under the new project -
update any script pointing to old license-management repo -
remove content from the old repo, prevent write on the git repo -
keep pushing images under that "license-management" namespace registry for backward compatibility -
remove the GITLAB_TOKEN
var, and revoke the token in thegitlab-bot
account.
-
-
-
-
in %14.0 or before if we agree on doing a breaking change in a minor release: -
stop pushing images under the old "license-management" registry -
archive "license-management" project -
clean the documentation
-
-
Permissions and Security
Documentation
Availability & Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Links / references
- https://docs.gitlab.com/ee/user/project/index.html#redirects-when-changing-repository-paths
- https://docs.gitlab.com/ee/user/project/settings/#transferring-an-existing-project-into-another-namespace
Implementation Plan
-
migrate the content of license-management project into the new location: https://gitlab.com/gitlab-org/security-products/analyzers/license-finder -
clone repo under the new project -
update any script pointing to old license-management repo -
remove content from the old repo, prevent write on the git repo -
remove the GITLAB_TOKEN
var, and revoke the token in thegitlab-bot
account. -
clean the license-management project documentation to refer to the new location. -
disable merge requests on gitlab.com/gitlab-org/security-products/license-management -
disable pipelines on gitlab.com/gitlab-org/security-products/license-management
-