Match and display policies to licenses that are already detected in a project

Problem to solve

Problem: there is no clear way to tell if licenses detected in the project are in compliance with the policies defined.

Context: this issue is based on discovery work done in https://gitlab.com/gitlab-org/gitlab-ee/issues/12941 and is a follow up to #14061 (closed). Users can see licenses in a project (per scanning) and policies (per admin classifying license) separately, but not how they relate to each other. For example, in the policies section, a user may see that an LPL 1.2 license is denied, but if that same license is detected in a project, the user wouldn't know it's denied unless matching the lists (detected/policy) manually.

📽 view walkthrough with context and iteration

Intended users

• Delaney (Development Team Lead)
• Sasha (Software Developer)
• Sam (Security Analyst)\
• Legal and/or person responsible for orgs compliance

Further details

Job's to be done

• User that is responsible for compliance: When my organization has policies with licenses, I want to be aware of my companies policies, so I can make sure my project licenses are in compliance with my orgs compliance.
• User that is accountable for compliance: When I need to enforce our organization's licenses restrictions, I want to be able to view them and define policies, so that I can ensure a project's compliance.

Proposal ideation

If policies have been created for a project, match them if/when to license that exist in a project. Display the matching license classification policies in the "detected in project" list.

Iteration iv: UX ready for development

iteration iii

• Likes version ii, surfacing licenses to the top
• Banner is helpful; but update copy to present tense
• Consider version iii later

iteration ii

Iteration ii feedback from UX team review and SCA team review:

• Consider creating additional columns for the violation
• Better display why a license is being surfaced
• Explore using the blue and/or green value for the background
• There may be labels with text and icon in the library to use for policy violation
• Let’s look at how to identify where/when this was found to show later. Related: audit log or maybe can leverage git-blame.
• Need to solve the problem of finding the particular dependency correlated with MR
• Ideally we’d have the info for all the dependencies name/version and would know the MR where it has been introduced

old iteration: scoped down

Developer UI (design updated in progress)

Developer UI	Maintainer UI

• due to de-prioritization de-scoped, removed user ability to add policy to existing license

Permissions and Security

• Developers view may view policies, but can't adjust them
• Public projects policy section is not visible to non-project participants (#33659 (closed))

Documentation

..

Testing

ToDo

What does success look like, and how can we measure that?

• Developer lands on the page and can determine if there are denied licenses that exists in the project

What is the type of buyer?

Ultimate

Links / references

• #12941 (closed)

Implementation Plan

Backend

• Combine licenses from the latest scan report with the policies configured for the project.
• Serve the combined licenses from the /projects/-/licenses.json endpoint.
• Add order_by filter to sort by classification. #213592 (closed)

UX

Frontend - person

Documentation - person

• User Documentation

Product Management - @NicoleSchwartz

• Release Post