Offline License Compliance for Rust
Problem to solve
Detect software licenses associated with dependencies declared using crates the same way we do today for online instances, in an offline instance relying on a proxied or locally hosted custom repository.
If possible this will deal with setting both address and optional authentication. If needed pop authentication into it's own issue.
Intended users
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
Further details
This change allows the retrieval of rust dependencies from non standard sources.
This is to support users in offline GitLab self-hosted instances
Proposal
Permissions and Security
same users today who can setup license scanning can set it up.
the repository may or may not be authenticated
Documentation
We will need to update user documentation
Availability & Testing
Manual: Use the existing GCP environment
Automated: Please work with Quality to make sure we have coverage as we must avoid regression
What does success look like, and how can we measure that?
after following documentation it does not require an internet connection to run a scan and provide results.
What is the type of buyer?
Heavily regulated industry, highly secretive organizations, and those with poor connectivity.
Is this a cross-stage feature?
no
Implementation Plan
-
Set up a custom crates registry in the Offline test environment. -
Exclude development/test dependencies from the scan output. https://gitlab.com/gitlab-org/security-products/license-management/-/merge_requests/201 -
Add integration test(s) to fetch dependencies from a custom registry. https://gitlab.com/gitlab-org/security-products/license-management/-/merge_requests/201 -
Add integrations test(s) to verify that dependencies can be installed from a custom registry. https://gitlab.com/gitlab-org/security-products/license-management/-/merge_requests/201 -
Ensure dependencies can be installed from a custom registry served with a custom self signed TLS certificate. https://gitlab.com/gitlab-org/security-products/license-management/-/merge_requests/201 -
Add documentation to describe any special setup or configuration required for fetching dependencies from a custom registry. Example !39162 (merged) -
Add documentation to describe any setup required for working in an offline environment. Example !39162 (merged) -
Add example project to templates -
Install rust
into/opt/asdf
. https://gitlab.com/gitlab-org/security-products/license-management/-/merge_requests/201
Links / references
- https://asdf-vm.com/#/
- https://github.com/code-lever/asdf-rust/blob/master/bin/install
- https://doc.rust-lang.org/cargo/reference/config.html
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.