SCA::LicenseCompliance for branches initialized with License Scanning scanners for pipelines
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to solve
When Project#license_compliance is called with no argument or with a nil pipeline, the following happens:
- The pipeline is set to a default value that corresponds to the default branch.
- That pipeline is passed to
SCA::LicenseCompliance.new. -
SCA::LicenseComplianceis always initialized with a License Scanning scanner for pipelines, not for branches.
This prevents the License Scanning scanner from performing optimizations for branches, like fetching SBOM data directly from the DB. Since the scanner for pipelines is always invoked, the input data of the scanner always come from the CI artifacts.
Further details
The following discussion from !105533 (merged) should be addressed:
-
@fcatteau started a discussion: (+6 comments) I suggest we do the following:
- Call
scanner_for_pipelinewhenpipelineis defined, and store the givenpipeline. - Or else call
scanner_for_project, and store thepipelinereturned by that scanner.
This should improve the performance in the future, because it will be possible to directly fetch SBOM components of the default branch from the DB, instead of parsing the SBOM reports of the corresponding pipeline.
The problem is the lack of clarity though: we would pass a
nilpipeline to communicate that we want aSCA::LicenseComplianceobject for the default branch really.WDYT?
- Call
The scanner implementation should be able to determine if the SBoM components should be fetched from the database or if they should be parsed from the artifact with a preference for the former for performance reasons. For more context, the goal of continuous scanning is to decouple the license scanning from artifacts/pipelines when on the main/default branch. Thus, it should be possible to get the default branch's SBoM components if a pipeline was not passed in.
/cc @fcatteau