License-Scanning silently fails when requirements are not met
Summary
Make the license-finder analyzer fail when requirements are not met. Currently, the job succeeds, but actually fails silently without reporting anything.
Steps to reproduce
- Create a Java project
- Use
mvnw
and pin Maven to3.5.3
- Run the
license-scanning
job.
Example Project
https://gitlab.com/yhsueh-demo/my-spring-app2 (internal link)
What is the current bug behavior?
https://gitlab.com/yhsueh-demo/my-spring-app2/-/jobs/603922883 is a green job, without any warning or error. Yet, no license is reported.
Setting LOG_LEVEL: debug
actually make the problem obvious:
In https://gitlab.com/yhsueh-demo/my-spring-app2/-/jobs/606175742:
We can see an error preventing the executing of the underlying tool:
Prepare
Added development to the ignored groups
Added develop to the ignored groups
Added test to the ignored groups
license_management report --prepare-no-fail --format=json --save=gl-license-scanning-report.json --no-recursive --no-debug
LicenseFinder::Maven: is active
./mvnw -e org.codehaus.mojo:license-maven-plugin:2.0.0:aggregate-download-licenses -Dlicense.excludedScopes=development,develop,test -Dorg.slf4j.simpleLogger.log.org.codehaus.mojo.license=debug -DskipTests
[...]
[INFO]
[INFO] --------------------------< com.example:demo >--------------------------
[INFO] Building demo 0.0.1-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 4.760 s
[INFO] Finished at: 2020-06-22T15:41:49Z
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.codehaus.mojo:license-maven-plugin:2.0.0:aggregate-download-licenses (default-cli) on project demo: The plugin org.codehaus.mojo:license-maven-plugin:2.0.0 requires Maven version 3.5.4 -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.codehaus.mojo:license-maven-plugin:2.0.0:aggregate-download-licenses (default-cli) on project demo: The plugin org.codehaus.mojo:license-maven-plugin:2.0.0 requires Maven version 3.5.4
Note that this project is using mvnw
, which is pinning Maven to 3.5.3
. This is not uncommon, so we should support these cases, at least fail correctly.
What is the expected correct behavior?
The job should report licenses, or fail if there's an error.
Possible fixes
Check the requirements for the org.codehaus.mojo:license-maven-plugin:2.0.0:aggregate-download-licenses
maven package. It appears it requires at least Maven >= 3.5.4, but there are probably others. Fail the job if requirements are not met, and more importantly, display why it's failing.
Implementation Plan
-
Ensure that WARN
,ERROR
,FATAL
log messages appear in the console output. If necessary write tostdout
by default. https://gitlab.com/gitlab-org/security-products/license-management/-/merge_requests/195 -
Update the documentation to specify which versions of Maven are supported. !3750 (merged) -
Add tests for each supported version of Maven. https://gitlab.com/gitlab-org/security-products/license-management/-/merge_requests/195 -
Display the license_scanning
job failure if the tools cannot be installed. https://gitlab.com/gitlab-org/security-products/license-management/-/merge_requests/195
/cc @xlgmokha /cc @gonzoyumo @NicoleSchwartz for prioritization