Use License Scanning Service in License Compliance page

Why are we doing this work

The backend needs to be changed so that the License Compliance page uses the License Scanning Service.

Further details

License Compliance page is handled by LicensesController#index which uses SCA::LicenseCompliance, and Pipeline#license_scanning_report.

The other controller actions are used to create and update license policies, and they don't need to be updated.

Proposal 1

Change Pipeline#license_scanning_report so that it gets a Ci::Reports::LicenseScanning::Report using the LicenseScanningService. The LicenseScanningService is initialized with the pipeline and its project.

Also, change Project#license_compliance so that it no longer relies on latest_pipeline_with_reports to get the default value for its argument. Instead, make LicenseScanningService responsible for finding the latest pipeline that provides the data it needs.

Proposal 2

Update LicenseCompliance#license_scanning_report so that it gets a Ci::Reports::LicenseScanning::Report using the LicenseScanning::ExportReportService class.

  1. Create an ExportReportService class inside ee/app/services/license_scanning/export_report_service.rb. The ExportReportService is initialized with the pipeline and its project.
  2. Update SCA::LicenseCompliance#license_scanning_report so that it fetches the report using LicenseScanning::ExportService#execute.

Relevant links

Technical evaluation: #377688 (comment 1133318031)

Non-functional requirements

  • Documentation:
  • Feature flag:
  • Performance:
  • Testing:

Implementation plan

  1. Update the Pipeline#license_scanning_report method so that it returns a Ci::Reports::LicenseScanning::Report using the ::Gitlab::LicenseScanning::ArtifactScanner class.
    • This will require a public method on the class - #report that will fetch the report.
  2. Change Project#license_compliance so that it no longer relies on latest_pipeline_with_reports to get the default value for its argument. Make the::Gitlab::LicenseScanning::BaseScanner interface responsible for finding the latest pipeline that provides the data it needs. This method should be named in a manner that omits reports e.g. #latest_pipeline.
    • The name purposefully omits reports so that the data source is abstracted away since the data can come from either SBoM components licenses or an artifact.
    • Using a method within the ::Gitlab::LicenseScanning::BaseScanner interface gives the advantage of having the feature flag logic within one area.

Verification steps

SET to review existing E2E tests, update if required to functionally test, being mindful of shifting left if covered by lower level testing.

Edited by Oscar Tovar