License Management
Description
A common need for organizations is understand the licenses of the libraries and components they are using.
Building or incorporating software which has been released with an incompatible license can open a company to legal exposure, as well as result in significant re-engineering work or even features being pulled.
We should add these features into GitLab, either by internally building or leveraging existing open source solutions.
Proposal
- Check all your open source dependencies against a license whitelist and notify you about violations.
- Support package managers, like NPM, Bundler, Composer, PIP.
Note: the first iteration is based on the licence_finder gem we already use at GitLab. This will cover the following languages right out of the box: Ruby, Python, Node.js, Java, "everything covered by Bower" (JS/CSS to some extent), Swift, Objective-C, Erlang, go. To cover other languages, we will need to iterate on this feature.
- This feature is activated by default on all projects (for Ultimate/Gold subscribers).
- Per project, you can deactivate the feature, and also define a list of licenses your dependencies can not use. List of licenses can be found here.
- By default a list of unacceptable copyleft licenses is loaded (https://gitlab.com/snippets/1548385)
-
On every commit in a MR, we run the
license_findergem to automatically find external dependencies license information of the project. We will support all the package managers already supported by this gem. -
If a violation occurs, MR is blocked and user has to take action to change their License policy. we show a message
These libraries failed licenses: middleman (MIT), ... -
If no violation occurs, we display a message
All licenses passed - If the merge is attempted through CLI and we detect a license violates our list, we display a message through git informing that the merge can’t happen.
- This feature is only available to instances which are EE Premium
| Settings | License Finder failed | License Finder passed |
|---|---|---|
 |
 |
 |
Links
There are some vendors who provider this today, such as:
- LicenseFinder Gem
- Black Duck
- FOSSA
- fossology by Linux Foundation
- WhiteSource Software
- and plenty more.
Many of them offer integration into CI and repository tools, including GitLab, as well.
- VersionEye initial issue: https://gitlab.com/gitlab-org/gitlab-ee/issues/744
- GitLab Licensing Doc: https://docs.gitlab.com/ee/development/licensing.html
- https://gitlab.com/gitlab-org/gitlab-ee/blob/master/config/dependency_decisions.yml