License scanning job always scans CI_PROJECT_DIR root so it only works if source code root == project root.
Summary
License Scanning (https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml) always use the root of CI_PROJECT_DIR, despite the scanner explicitly stating that one needs to cd into the directory of the source code to scan (https://gitlab.com/gitlab-org/security-products/analyzers/license-finder/-/blob/main/README.md). There is no way to specify other directory from which to run the scan.
Steps to reproduce
- Have a project that should be built in a subdirectory of your project root, e.g. a Maven or Gradle project in
/backend
. - Try to
cd backend
inbefore_script
oflicense_scanning
. - Try to set
LICENSE_FINDER_CLI_OPTS
to scan onlybackend
. - Watch License scanner fail because Maven or Gradle cannot be run in the project root and the
license_scanning
job ignores current working dir.
What is the current bug behavior?
The scanner always run in CI_PROJECT_DIR.
What is the expected correct behavior?
The scanner should run in current working dir or in the directory specified via some environment variable.
Possible fixes
Use current working dir to run scans in
License-Scanning.gitlab-ci.yml runs the following script:
script:
- /run.sh analyze .
The last parameter '.
' is always ignored. This is due to the following line inside run.sh
:
project_dir="${CI_PROJECT_DIR:-${@: -1}}"
which will only set project_dir
to the last argument passed to run.sh
if CI_PROJECT_DIR
is not set. But CI_PROJECT_DIR
is always set, so the last argument to run.sh
is always ignored and have no effect.
Changing the line to
project_dir="${@: -1}"
would fix the problem.
license_management
is run configurable
Add environment variable to make the directory from which Another option is to add an environment variable, e.g. ANALYZER_TARGET_DIR
(similar to the dependency scanner) to set this directory. It could fall back to CI_PROJECT_DIR
if not set explicitly.