Skip to content

[Feature flag] Rollout of `license_scanning_sbom_scanner`

Summary

This issue is to rollout the feature on production, that is currently behind the license_scanning_sbom_scanner feature flag.

Links

Feature flag cleanup issue: #385176 (closed)

Main feature issue: Implement License Scanning SBOM scanner (#384932 - closed)

Main doc issue: Document new License Scanning SBOM Scanner (#388439 - closed)

Release post: https://about.gitlab.com/releases/2023/02/22/gitlab-15-9-released/#new-license-compliance-scanner

Release post MR: gitlab-com/www-gitlab-com!119232 (merged)

Glossary

  • LS: license scanning
  • DS: dependency scanning

Owners

Stakeholders

Expectations

What are we expecting to happen?

The new license scanning feature is working as expected and we provide results similar or better than the current feature.

As testing the feature is dependent on having corresponding package metadata in the rails DB, we'll test these separately depending on the sync status, which can be checked in #390836 (closed)

The suggested approach to test this is to copy the corresponding test projects from https://gitlab.com/gitlab-org/security-products/tests/ into the staging environment: https://staging.gitlab.com/secure-team-test. We need to create 2 variations of each project:

  • with the old license_scanning job
  • without the old license_scanning job (needs DS job to export SBOM)

See examples here: #385173 (comment 1289821222)

To help with testing, please add your name below once you picked up a language, open a dedicated thread in this issue to share the results and link it from here.

Package type/ manager test thread status tester Issues
composer #385173 (comment 1292017303) @hacks4oats
conan #385173 (comment 1291778732) @brytannia
rubygem - bundler #385173 (comment 1289821222) @brytannia
golang #385173 (comment 1291896813) @nilieskou
maven #385173 (comment 1291828439) @nilieskou #393568 (closed)
gradle #385173 (comment 1296541758) @nilieskou #393568 (closed)
sbt #385173 (comment 1297572195) @brytannia #393568 (closed)
npm - npm #385173 (comment 1291828439) @hacks4oats
npm - Yarn #385173 (comment 1298486413) @nilieskou
nuget #385173 (comment 1291900848) @hacks4oats #393572 (closed)
pypi - setuptools
pypi - pipenv #385173 (comment 1296823080) @nilieskou #393517 (closed)
pypi - poetry #385173 (comment 1298689001) @nilieskou
pypi - pip #385173 (comment 1298652205) @nilieskou #393517 (closed)

Names and URLs

At the momemt the new implementation of License Scanning only provides the SPDX identifiers of the detected licenses, whereas the old implementation also provides the names and the URLs. This limitation is visible on both the License Compliance page and Dependency List, and is tracked by the following issues:

See screenshots of the License Compliance page:

New implementation Old implementation
image image

When is the feature viable?

What might happen if this goes wrong?

What can we monitor to detect problems with this?

Consider mentioning checks for 5xx errors or other anomalies like an increase in redirects (302 HTTP response status)

What can we check for monitoring production after rollouts?

Consider adding links to check for Sentry errors, Production logs for 5xx, 302s, etc.

Rollout Steps

Rollout on non-production environments

  • Ensure that the feature MRs have been deployed to non-production environments.
    • /chatops run auto_deploy status <merge-commit-of-your-feature>
  • Enable the feature globally on non-production environments.
    • /chatops run feature set <feature-flag-name> true --dev --staging --staging-ref
  • Verify that the feature works as expected. Posting the QA result in this issue is preferable. The best environment to validate the feature in is staging-canary as this is the first environment deployed to. Note you will need to make sure you are configured to use canary as outlined here when accessing the staging environment in order to make sure you are testing appropriately.

Specific rollout on production

  • Ensure that the feature MRs have been deployed to both production and canary.
    • /chatops run auto_deploy status <merge-commit-of-your-feature>
    • If you're using group-actor, you must enable the feature on these entries:
      • /chatops run feature set --group=gitlab-org,gitlab-com <feature-flag-name> true
  • Verify that the feature works on the specific entries. Posting the QA result in this issue is preferable.

Preparation before global rollout

  • Set a milestone to the rollout issue to signal for enabling and removing the feature flag when it is stable.
  • Check if the feature flag change needs to be accompanied with a change management issue. Cross link the issue here if it does.
  • Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. If a different developer will be covering, or an exception is needed, please inform the oncall SRE by using the @sre-oncall Slack alias.
  • Ensure that documentation has been updated (More info).
  • Leave a comment on the feature issue announcing estimated time when this feature flag will be enabled on GitLab.com.
  • Ensure that any breaking changes have been announced following the release post process to ensure GitLab customers are aware.
  • Notify #support_gitlab-com and your team channel (more guidance when this is necessary in the dev docs).

Global rollout on production

For visibility, all /chatops commands that target production should be executed in the #production slack channel and cross-posted (with the command results) to the responsible team's slack channel (#g_TEAM_NAME).

(Optional) Release the feature with the feature flag

If you're still unsure whether the feature is deemed stable but want to release it in the current milestone, you can change the default state of the feature flag to be enabled. To do so, follow these steps:

  • Create a merge request with the following changes. Ask for review and merge it.
  • Ensure that the default-enabling MR has been included in the release package. If the merge request was deployed before the monthly release was tagged, the feature can be officially announced in a release blog post.
    • /chatops run release check <merge-request-url> <milestone>
  • Consider cleaning up the feature flag from all environments by running these chatops command in #production channel. Otherwise these settings may override the default enabled.
    • /chatops run feature delete <feature-flag-name> --dev --staging --staging-ref --production
  • [-] Close the feature issue to indicate the feature will be released in the current milestone. There's no specific feature issue, and License Scanning using License DB and SBOM comp... (&9400 - closed) has been closed already.
  • [-] Set the next milestone to this rollout issue for scheduling the flag removal. This is handled in [Feature flag] Cleanup license_scanning_sbom_sc... (#385176 - closed).
  • (Optional) You can create a separate issue for scheduling the steps below to Release the feature.
    • Set the title to "[Feature flag] Cleanup <feature-flag-name>".
    • Execute the /copy_metadata <this-rollout-issue-link> quick action to copy the labels from this rollout issue.
    • Link this rollout issue as a related issue.
    • Close this rollout issue.

WARNING: This approach has the downside that it makes it difficult for us to clean up the flag. For example, on-premise users could disable the feature on their GitLab instance. But when you remove the flag at some point, they suddenly see the feature as enabled and they can't roll it back to the previous behavior. To avoid this potential breaking change, use this approach only for urgent matters.

Release the feature

After the feature has been deemed stable, the clean up should be done as soon as possible to permanently enable the feature and reduce complexity in the codebase.

Feature flag cleanup issue: #385176 (closed)

Rollback Steps

  • This feature can be disabled by running the following Chatops command:
/chatops run feature set <feature-flag-name> false
Edited by Nick Ilieskou