Show detected licenses with their URLs (License Scanning SBOM Scanner)
Summary
With the introduction of the License Scanning SBOM Scanner, the License Compliance and Dependency List no longer provide links to the detected licenses.
Screenshots
License Compliance page:
| New implementation | Old implementation |
|---|---|
 |
 |
Dependency List page:
| New implementation | Old implementation |
|---|---|
 |
 |
Source: #385173 (closed)
Further details
Before the introduction of the License Scanning SBOM Scanner, license URLs were extrated from License Scanning report artifacts.
See sample report
{
"version": "2.1",
"licenses": [
{
"id": "MIT",
"name": "MIT License",
"url": "https://opensource.org/licenses/MIT"
}
],
"dependencies": [
{
"name": "classpreloader/classpreloader",
"version": "3.2.0",
"package_manager": "composer",
"path": "composer.lock",
"licenses": [
"MIT"
]
}
]
}Compared to this, the License Scanning SBOM Scanner only relies on the information stored in pm_licenses; right now this table only provides SPDX identifiers of licenses.
CREATE TABLE pm_licenses (
id bigint NOT NULL,
spdx_identifier text NOT NULL,
CONSTRAINT check_c1eb81d1ba CHECK ((char_length(spdx_identifier) <= 50))
);See #385173 (comment 1296169706)
Possible fixes
-
Add an
urlcolumn to thepm_licensestable, and syncpm_licenseswith the SPDX License List, just like theImportSoftwareLicensesWorkerworker syncs upsoftware_licenses. -
Redirect to the license page on spdx.org using the SPDX identifier. For instance, https://spdx.org/licenses/0BSD.html is the page for
0BSD.There are at least two ways these can be implemented:
- Update
LicenseScanning::SbomScannerto add licenses with predefined URLs, when callingLicenseScanning::Report.add_license. - Update
LicenseScanning::Report.add_licenseto set theurlto"https://spdx.org/licenses/#{id}.htmlwhenidis set buturlis empty.
- Update
Proposal
Redirect to the license page on spdx.org using the SPDX identifier. Update LicenseScanning::Report.add_license to set the url to "https://spdx.org/licenses/#{id}.html when id is set but url is empty.
Implementation plan
-
Update LicenseScanning::Report.add_licenseand its specs.
Verification steps
On a project when license_scanning_sbom_scanner feature flag is enabled, and where a Dependency Scanning job has been executed successfully for the default branch:
-
Check that the License Complianceprovides links for detected licenses. -
Check that the Dependency Listprovides links for detected licenses.