Implement a Whitelist approach to the License-Check rule.

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Note to wider-community, sales, support and customer success

As always we welcome contributions so feel free to ask questions the PM of Composition Analysis if you are unsure about what needs to be done here and want to contribute the fix yourself!

NOTE if you are a user who also would like to see this feature, please UPVOTE 👍 it and comment to help it get prioritized (So it’s raised as part of our sensing mechanisms. Comments ideally should include what you want, how it would help you, what your pain point/frustration is today, and anything else that can help us focus on solving the problem.

If you are a team member commenting on behalf of a user (not ideal, as you can only upvote once!) Please remember to upvote and include as much information (what they are trying to solve for, their setup) as possible in addition to a salesforce or zendesk link.

Proposal

Currently, the implementation of the License-Check rule will only require an approval if a certain license was found on the decline list or when the license report was not generated. Although this is helpful, it does not satisfy our business needs since new licenses can continuously pop up and we want to be proactive about preventing dependencies with these licenses from getting into our code. The current blacklist approach is reactive (and is generally not a recommended security practice).

My suggestion is to have the option of using a whitelist approach when requiring an approval. In other words, if there is any license that is not "Allowed", then an approval would be required. Additionally, it would be beneficial to have the option of including/excluding "unknown" from this whitelist. Our team specifically wants to require an approval whenever there is an "unknown" license. This is part of our legal obligations, we need to investigate every dependency with an "unknown" license to make sure it's ok to use.

Current conditions that would require an approval:

  • Contains a dependency that includes a software license that is denied.
  • Is not generated during pipeline execution.

Suggested conditions that would require an approval:

  • Contains a dependency that includes a software license that is denied.
  • Is not generated during pipeline execution.
  • Contains a dependency that includes a software license that is not on the approved list.

Related Support Ticket

https://support.gitlab.com/hc/requests/224464

Edited by 🤖 GitLab Bot 🤖