Discovery: air-gapped (offline) support for License Compliance
Problem to solve
The current implementation of our License Compliance feature currently requires internet connectivity to run using standard configurations. We should aim to support offline execution and provide clear documentation on how to configure it for such installations.
Intended users
Proposal
From comment in parent epic:
Looking at source code, LicenseFinder is usually able to extract the license from the local package, like in bundler.rb. This is not the case for Python though, and LicenseFinder performs a GET request to get package metadata from pypi.org, see pip.rb.
We need to go through all the supported languages and define whether or not they support air-gapped, how to do it and if not what can we do to make it work (in our wrapper project or in the upstream project).
Conclusion
I created this project to test out each of the package managers so that I can go in depth where needed.
I have identified the following issues that needs further investigation:
-
Rebar: rebar3 is not supported. -
Gradle: Requires that the project have a plugin installed. #202126 (closed) -
Maven: Uses a plugin to download missing license info at scan time. -
sbt: Depends on a plugin to be installed in project settings.
The following project types are currently not airgap friendly.
-
Cargo: requires --offline flag. -
Gradle: plugin appears to download license info at scan time. -
Maven: plugin appears to download license info at scan time. -
Nuget: The current core requires that the dependencies are installed under the project root otherwise it looks airgap friendly. We need to add a -PackagesDirectory /code/packagesto here. -
Pip: Depends on pypi.orgAPI at scan time. I don't have a solution to this problem. I started some analysis on building an offline index. -
sbt: plugin appears to download licenses at scan time.
What is the type of buyer?
GitLab Ultimate users
Links / references
End Result
Blocked, alternate idea is to look at alternate scanners epic