Fallback to License Scanning SBOM Scanner when no License Scanning artifacts
Why are we doing this work
In order to roll out the new License Scanning SBOM Scanner without impacting projects where the legacy License Scanning has been configured (i.e. License Scanning CI template is included), the SBOM Scanner should be used as a fallback when the project pipeline has no License Scanning artifacts.
Users who want to try out the new License Scanning SBOM Scanner should then update their CI configurations, and do the following.
- Include the Dependency Scanning CI template if it's missing.
- Remove the License Scanning CI template.
See #384936 (comment 1232242999)
Proposal
Fallback logic in LicenseScanning.scanner_for_project
:
- Initialize an
ArtifactScanner
and return it ifFeature.enabled?(:license_scanning_sbom_scanner)
returnsfalse
. - Get
ArtifactScanner.latest_pipeline
for project. - If it returns no pipeline then return a
SbomScanner
. - Else:
- Get
SbomScanner.latest_pipeline
for project. - Compare dates or sequential IDs of the two pipelines.
- If artifact-based pipeline is more recent, then return an
ArtifactScanner
. - Else return a
SbomScanner
.
- Get
Fallback logic in LicenseScanning.scanner_for_pipeline
:
- Initialize an
ArtifactScanner
and return it ifFeature.enabled?(:license_scanning_sbom_scanner)
returnsfalse
. - Return the
ArtifactScanner
if ithas_data?
. - Else return a
SbomScanner
.
Relevant links
Implementation plan
-
Update ::Gitlab::LicenseScanning.scanner_for_project
and add specs. -
Update ::Gitlab::LicenseScanning.scanner_for_pipeline
and add specs.
Verification steps
- Set up License Scanning (LS) and Dependency Scanning in a project.
- Identify differences between licenses info provided by:
- legacy implementation
license-scanning
job (Artifact Scanner) - new implementation using SBOMs and License DB (SBOM Scanner)
- legacy implementation
- Enable feature flag for SBOM Scanner for that project.
- Create an MR that target the default branch.
- Check all license features. License info comes from LS artifacts.
-
Check License Compliance
page. -
Check Licenses
tab of pipeline page. -
Check MR page. There's no diff in the licenses.
-
- In the MR, remove License Scanning from CI config.
- Check MR page.
-
License info for the source branch comes from the SBOMs. -
There's a diff in the licenses b/c it's compared with license info coming from LS artifacts.
-
- Merge the MR into the default branch.
- Check
License Compliance
page.-
License info comes from the SBOMs.
-
Edited by Oscar Tovar