Use License Scanning Scanner in License Compliance MR widget
Why are we doing this work
The backend needs to be changed so that the License Compliance widget of the Merge Request page uses the License Scanning Service.
NOTE: Refreshing the MR approvers is covered by Use License Scanning scanner class when refresh... (#377420 - closed).
Further details
The License Compliance MR widget is handled by MergeRequestsController#license_scanning_reports
and MergeRequestsController#license_scanning_reports_collapsed
. These rely on CompareLicenseScanningReportsService
, CompareLicenseScanningReportsCollapsedService
, and Gitlab::Ci::Reports::LicenseScanning::ReportsComparer
. Ultimately they delegate to SCA::LicenseCompliance#diff_with
, which delegates to LicenseScanning::Report#diff_with
.
Proposal
Same as #378085 (closed): Pipeline#license_scanning_report
gets a Ci::Reports::LicenseScanning::Report
from the LicenseScanningService
.
Relevant links
Technical evaluation:
-
MergeRequestsController
: #377688 (comment 1133112249) -
LicenseScanning::ReportComparer
: #377688 (comment 1133305069) -
#diff_with
: #377688 (comment 1133580426)
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing: See the Testing section.
Implementation plan
-
Create a method in the new license scanning scanner interface: #scan_completed?
-
This will replace the direct usage of pipeline.license_scan_completed?
inMergeRequest
compare license scanning reports methods.
-
-
Update MergeRequest#has_denied_policies?
so that it calls this new method instead ofMergeRequests#has_license_scanning_reports?
. The previous method can also be removed since it is no longer in use. -
Update MergeRequest#compare_license_scanning_reports
andMergeRequest#compare_license_scanning_reports_collapsed
so that it calls the new#scan_completed?
method.
Testing
-
Add unit tests for the new #has_data?
method -
Ensure that the existing spec for MergeRequest
class passes.
Verification steps
- Set up a project with license scanning.
- Set up some allowed and denied policies for the project.
- Open an MR that introduces new dependencies in the project. The dependencies should include at least one allowed and one denied license. Once the license scanning job finishes, ensure the following:
- Ensure that the License Compliance MR Widget displays allowed policies
- Ensure that the License Compliance MR Widget displays denied policies