Return licenses for each dependency from `<group>/-/dependencies.json`
Why are we doing this work
This work is necessary to display the software licenses associated with each component displayed in the group level dependency list.
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: group_level_licenses
-
Performance: -
Testing:
Implementation plan
Sincle the ::Groups::DependenciesController
controller uses the same JSON serializer as the ::Projects::DependenciesController
we will need to return the same JSON schema for licenses.
Before:
{
"report": {
"status": "ok"
},
"dependencies": [
{
"name": "activerecord",
"packager": "bundler",
"version": "7.0.6",
"location": {
"blob_path": "/gitlab-examples/security/sbom-example/-/blob/f67dc4c5466304d6cbe1ecdd18196283447f1a34/Gemfile.lock",
"path": "Gemfile.lock",
"top_level": false,
"ancestors": null
},
"project": {
"full_path": "gitlab-examples/security/sbom-example",
"name": "sbom-example"
},
"project_count": 1,
"occurrence_count": 1,
"component_id": 12
},
{
"name": "activesupport",
"packager": "bundler",
"version": "7.0.6",
"location": {
"blob_path": "/gitlab-examples/security/sbom-example/-/blob/f67dc4c5466304d6cbe1ecdd18196283447f1a34/Gemfile.lock",
"path": "Gemfile.lock",
"top_level": false,
"ancestors": null
},
"project": {
"full_path": "gitlab-examples/security/sbom-example",
"name": "sbom-example"
},
"project_count": 1,
"occurrence_count": 1,
"component_id": 15
}
]
}
After:
{
"report": {
"status": "ok"
},
"dependencies": [
{
"name": "activerecord",
"packager": "bundler",
"version": "7.0.6",
"location": {
"blob_path": "/gitlab-examples/security/sbom-example/-/blob/f67dc4c5466304d6cbe1ecdd18196283447f1a34/Gemfile.lock",
"path": "Gemfile.lock",
"top_level": false,
"ancestors": null
},
"licenses": [
{
"name": "Apache-2.0",
"url": "https://spdx.org/licenses/Apache-2.0.json"
},
{
"name": "MIT",
"url": "https://spdx.org/licenses/MIT.json"
}
],
"project": {
"full_path": "gitlab-examples/security/sbom-example",
"name": "sbom-example"
},
"project_count": 1,
"occurrence_count": 1,
"component_id": 12
},
{
"name": "activesupport",
"packager": "bundler",
"version": "7.0.6",
"location": {
"blob_path": "/gitlab-examples/security/sbom-example/-/blob/f67dc4c5466304d6cbe1ecdd18196283447f1a34/Gemfile.lock",
"path": "Gemfile.lock",
"top_level": false,
"ancestors": null
},
"licenses": [
{
"name": "MIT",
"url": "https://spdx.org/licenses/MIT.json"
}
],
"project": {
"full_path": "gitlab-examples/security/sbom-example",
"name": "sbom-example"
},
"project_count": 1,
"occurrence_count": 1,
"component_id": 15
}
]
}
-
Add licenses
jsonb
column tosbom_occurrences
table. -
Add validation to licenses
via json schema (e.g., {name: 'MIT', url: "https://spdx.org/licenses/MIT.html" }). -
Add licenses
as part of the sbom_occurrences ingestion. Consider using this. -
Remove the :read_license
permission check constraint.
Verification steps
- Visit https://gitlab.com/groups/gitlab-org/govern/threat-insights-demos/verification-projects/verify-408846-group/-/dependencies
- Verify that there are licenses displays in the
License
column. - Visit https://gitlab.com/groups/gitlab-org/govern/threat-insights-demos/verification-projects/verify-408846-group/-/dependencies.json
- Verify that each object under
.dependencies
has a.licenses
key with 0 or more licenses in the array.
Edited by mo khan