Objective-C, Swift Offline License Compliance
NOTE if you are a user who also would like to see this feature, please UPVOTE
These package managers were not specifically requested by offline customers
Problem to solve
Detect software licenses associated with dependencies declared using cocoapods the same way we do today for online instances, in an offline instance relying on a proxied or locally hosted custom repository.
If possible this will deal with setting both address and optional authentication. If needed pop authentication into it's own issue.
Intended users
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
Further details
This change allows the retrieval of cocoapods dependencies from non standard sources.
This is to support users in offline GitLab self-hosted instances
Proposal
We could look at parsing the Podfile.lock to get the list of dependencies but this doesn't contain the information necessary to detect licenses.
E.g.
Podfile
platform :ios
target :MovieLibraryTests, :exclusive => true do
pod 'Kiwi'
end
Podfile.lock
PODS:
- Kiwi (2.0.6)
DEPENDENCIES:
- Kiwi
SPEC CHECKSUMS:
Kiwi: 56082a80f942de4d10423d8d8a599ab30cf50228
COCOAPODS: 0.19.1
We could then scrape the Kiwi
podspec from https://github.com/CocoaPods/Specs/blob/master/Specs/b/6/e/Kiwi/2.0.6/Kiwi.podspec.json to read out the license information.
To support custom spec repos we could use something similar to this guide where we document how to inform the license_scanning
job on where to fetch the specs repo to look up the license information from the spec file.
This would be a reasonable MVC to at least let us start scanning some cocoapod projects and then could be improved later once we have macOS shared runners so that we can install packages and read the LICENSE files shipped with the source code.
Permissions and Security
same users today who can setup license scanning can set it up.
the repository may or may not be authenticated
Documentation
We will need to update user documentation
Availability & Testing
Manual: Use the existing GCP environment
Automated: Please work with Quality to make sure we have coverage as we must avoid regression
What does success look like, and how can we measure that?
after following documentation it does not require an internet connection to run a scan and provide results.
What is the type of buyer?
Heavily regulated industry, highly secretive organizations, and those with poor connectivity.
Is this a cross-stage feature?
no
Implementation Plan
[ ] Release https://gitlab.com/gitlab-org/security-products/license-management as a rubygem.-
[ ] Add documentation to describe how to run thelicense_scanning
job on a MacOS host using the gitlab-runner shell configuration.[ ] overridelicense_scanning
job to run on a MacOS shared runner.
-
Override macOS specific code in favour of looking up license data from the spec repo. -
Set up a custom registry in the Offline test environment. -
Exclude development/test dependencies from the scan output. -
Add integration test(s) to fetch dependencies from a custom registry. -
Add integrations test(s) to verify that dependencies can be installed from a custom registry. -
Ensure dependencies can be installed from a custom registry served with a custom self signed TLS certificate. -
Add documentation to describe any special setup or configuration required for fetching dependencies from a custom registry. Example -
Add documentation to describe any setup required for working in an offline environment. Example -
Add example project to templates -
Add test project to test projects by following procedure in https://gitlab.com/gitlab-org/security-products/tests/common#how-to-create-a-new-test-project