License Management (#2592) · Issues · GitLab.org / GitLab

License Management

Description

A common need for organizations is understand the licenses of the libraries and components they are using.

Building or incorporating software which has been released with an incompatible license can open a company to legal exposure, as well as result in significant re-engineering work or even features being pulled.

We should add these features into GitLab, either by internally building or leveraging existing open source solutions.

Proposal

Check all your open source dependencies against a license whitelist and notify you about violations.
Support package managers, like NPM, Bundler, Composer, PIP.

Note: the first iteration is based on the licence_finder gem we already use at GitLab. This will cover the following languages right out of the box: Ruby, Python, Node.js, Java, "everything covered by Bower" (JS/CSS to some extent), Swift, Objective-C, Erlang, go. To cover other languages, we will need to iterate on this feature.

This feature is activated by default on all projects (for Ultimate/Gold subscribers).
Per project, you can deactivate the feature, and also define a list of licenses your dependencies can not use. List of licenses can be found here.
By default a list of unacceptable copyleft licenses is loaded (https://gitlab.com/snippets/1548385)
On every commit in a MR, we run the license_finder gem to automatically find external dependencies license information of the project. We will support all the package managers already supported by this gem.
If a violation occurs, MR is blocked and user has to take action to change their License policy. we show a message These libraries failed licenses: middleman (MIT), ...
If no violation occurs, we display a message All licenses passed
If the merge is attempted through CLI and we detect a license violates our list, we display a message through git informing that the merge can’t happen.
This feature is only available to instances which are EE Premium

Settings	License Finder failed	License Finder passed

Links

There are some vendors who provider this today, such as:

LicenseFinder Gem
Black Duck
FOSSA
fossology by Linux Foundation
WhiteSource Software
and plenty more.

Many of them offer integration into CI and repository tools, including GitLab, as well.

VersionEye initial issue: https://gitlab.com/gitlab-org/gitlab-ee/issues/744
GitLab Licensing Doc: https://docs.gitlab.com/ee/development/licensing.html
https://gitlab.com/gitlab-org/gitlab-ee/blob/master/config/dependency_decisions.yml

### Description

A common need for organizations is understand the licenses of the libraries and components they are using.

We should add these features into GitLab, either by internally building or leveraging existing open source solutions.

### Proposal

* Check all your open source dependencies against a license whitelist and notify you about violations.
* Support package managers, like NPM, Bundler, Composer, PIP.

Note: the first iteration is based on the [licence_finder gem](https://github.com/pivotal/LicenseFinder) we already use at GitLab. This will cover the following languages right out of the box: Ruby, Python, Node.js, Java, "everything covered by Bower" (JS/CSS to some extent), Swift, Objective-C, Erlang, go. To cover other languages, we will need to iterate on this feature.

- [ ] This feature is activated by default on all projects (for Ultimate/Gold subscribers).
- [ ] Per project, you can deactivate the feature, and also define a list of licenses your dependencies can not use. List of licenses can be found [here](https://gitlab.com/snippets/33898).
- [ ] By default a list of unacceptable copyleft licenses is loaded (https://gitlab.com/snippets/1548385)
- [ ] On every commit in a MR, we run the `license_finder` gem to automatically find external dependencies license information of the project. We will support all the package managers [already supported](https://github.com/pivotal/LicenseFinder#activation) by this gem.
- [ ] If a violation occurs, MR is blocked and user has to take action to change their License policy. we show a message `These libraries failed licenses: middleman (MIT), ...`
- [ ] If no violation occurs, we display a message `All licenses passed`
- [ ] If the merge is attempted through CLI and we detect a license violates our list, we display a message through git informing that the merge can’t happen.
- [ ] This feature is only available to instances which are EE Premium

| Settings |  License Finder failed | License Finder passed  |
| --- | --- | --- |
| ![license-finder--setting](/uploads/38f2b789e5ea2d289e749246b6e3e575/license-finder--setting.png) | ![license-finder--licenses-tab-failed](/uploads/cabd65de956ccd468f615a275fe87d04/license-finder--licenses-tab-failed.png) | ![license-finder--licenses-tab-passed](/uploads/1984e6058393e0cd21e09b332ebc58cd/license-finder--licenses-tab-passed.png) |

### Links

There are some vendors who provider this today, such as:
* [LicenseFinder](https://github.com/pivotal/LicenseFinder) Gem
* [Black Duck](https://www.blackducksoftware.com/)
* [FOSSA](https://fossa.io/)
* [fossology](https://www.fossology.org/) by Linux Foundation
* [WhiteSource Software](https://www.whitesourcesoftware.com/)
* and plenty more.

Many of them offer integration into CI and repository tools, including GitLab, as well.

* VersionEye initial issue: https://gitlab.com/gitlab-org/gitlab-ee/issues/744
* GitLab Licensing Doc: https://docs.gitlab.com/ee/development/licensing.html
* https://gitlab.com/gitlab-org/gitlab-ee/blob/master/config/dependency_decisions.yml

Edited Mar 09, 2018 by Mark Pundsack

Discussion
Designs

License Management

Description

Proposal

Links

Linked issues