Licenses do not show up in Dependency List for Maven Dependencies
Summary
Currently Maven users attempting leverage both Dependency Scanning and License Compliance will end up with their licenses not showing in the License
column on the Dependency List
page.
Further details
When applying license to dependencies found in Dependency Scanning reports, the Reports::DependencyList#apply_license
compare the package names, but these don't match in the case of Maven:
- In License Scanning reports generated by
license-finder
, the package name is the artifact id of the Maven package. - But in the Dependency Scanning reports generated by
gemnasium-maven
, the package name combines the group id and the artifact id.
def apply_license(license)
dependencies.each do |dependency|
next unless license.dependencies.find { |license_dependency| license_dependency.name == dependency[:name] }
next if dependency[:licenses].find { |license_hash| license_hash[:name] == license.name }
dependency[:licenses].push(name: license.name, url: license.url)
end
end
For instance, in this LS report the package name is antlr
.
See report excerpt
{
"version": "2.1",
"dependencies": [
{
"name": "antlr",
"version": "2.7.7",
"package_manager": "maven",
"path": "pom.xml",
"licenses": [
"bsd"
]
}
]
}
But in the corresponding DS report the package name is antlr/antlr
.
See report excerpt
{
"version": "14.0.0",
"dependency_files": [
{
"path": "pom.xml",
"package_manager": "maven",
"dependencies": [
{
"package": {
"name": "antlr/antlr"
},
"version": "2.7.7"
}
]
}
]
}
Steps to reproduce
https://gitlab.com/gitlab-org/security-products/tests/java-maven-multimodules/-/pipelines/322085808
Example Project
https://gitlab.com/gitlab-org/security-products/tests/java-maven-multimodules/-/dependencies
What is the current bug behavior?
This doesn't work because how DS report is merged with LS report:
- LS contains artifact IDs like
asm
- DS contains a combination of group IDs and artifact IDs, like
asm/asm
AFAIK it simply matches "names" but this can't possibly work w/ Maven packages
What is the expected correct behavior?
The LS and DS names should match in some way shape or form or account for group IDs.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
(please keep the order unchanged since these possible fixes are referenced by number)
- change
apply_licenses!
to extract the artifact id from the name found in the DS report, and compare it to names found in the LS report change license-finder so that names of Maven packages match what we have in the DS reports; it should begroupId/artifactId
change the reports and the analyzers to accurately report the artifact id and the group id in separate JSON fields, and use these fields in the Rails backend when applying the licenses; this involves changing the LS report schema, the DS report schema, license-finder analyzer, gemnasium-maven, and the backend
Implementation plan
Note: before following the implementation plan, first check to see if this issue is solved by Implement License Scanning SBOM scanner (#384932 - closed). Take a look at this comment for more details.
- In
apply_licenses!
change comparison of names: - Check that last part of
dependency[:name]
divided by/
matchslicense_dependency.name
. - Compare
license_dependency.package_manager
withdependency.package_manager
- Add regression test to cover
maven
case.