Skip to content

GitLab Next

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 42,953
    • Issues 42,953
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1,368
    • Merge requests 1,368
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.org
  • GitLabGitLab
  • Issues
  • #2592
Closed
Open
Created Jun 06, 2017 by Joshua Lambert@joshlambertMaintainer0 of 8 tasks completed0/8 tasks

License Management

Description

A common need for organizations is understand the licenses of the libraries and components they are using.

Building or incorporating software which has been released with an incompatible license can open a company to legal exposure, as well as result in significant re-engineering work or even features being pulled.

We should add these features into GitLab, either by internally building or leveraging existing open source solutions.

Proposal

  • Check all your open source dependencies against a license whitelist and notify you about violations.
  • Support package managers, like NPM, Bundler, Composer, PIP.

Note: the first iteration is based on the licence_finder gem we already use at GitLab. This will cover the following languages right out of the box: Ruby, Python, Node.js, Java, "everything covered by Bower" (JS/CSS to some extent), Swift, Objective-C, Erlang, go. To cover other languages, we will need to iterate on this feature.

  • This feature is activated by default on all projects (for Ultimate/Gold subscribers).
  • Per project, you can deactivate the feature, and also define a list of licenses your dependencies can not use. List of licenses can be found here.
  • By default a list of unacceptable copyleft licenses is loaded (https://gitlab.com/snippets/1548385)
  • On every commit in a MR, we run the license_finder gem to automatically find external dependencies license information of the project. We will support all the package managers already supported by this gem.
  • If a violation occurs, MR is blocked and user has to take action to change their License policy. we show a message These libraries failed licenses: middleman (MIT), ...
  • If no violation occurs, we display a message All licenses passed
  • If the merge is attempted through CLI and we detect a license violates our list, we display a message through git informing that the merge can’t happen.
  • This feature is only available to instances which are EE Premium
Settings License Finder failed License Finder passed
license-finder--setting license-finder--licenses-tab-failed license-finder--licenses-tab-passed

Links

There are some vendors who provider this today, such as:

  • LicenseFinder Gem
  • Black Duck
  • FOSSA
  • fossology by Linux Foundation
  • WhiteSource Software
  • and plenty more.

Many of them offer integration into CI and repository tools, including GitLab, as well.

  • VersionEye initial issue: https://gitlab.com/gitlab-org/gitlab-ee/issues/744
  • GitLab Licensing Doc: https://docs.gitlab.com/ee/development/licensing.html
  • https://gitlab.com/gitlab-org/gitlab-ee/blob/master/config/dependency_decisions.yml
Edited Mar 09, 2018 by Mark Pundsack
Assignee
Assign to
Time tracking