Persist license_scanning violation data
Why are we doing this work
In Add violation_data to scan_result_policy_violat... (#433390 - closed) we're adding a new column violation_data
to be able to save details about what caused policy violations.
In this issue, we want to persist violation data for license_scanning
policies. For this reason, we should extend Security::SyncLicenseScanningRulesService and save the violated license names.
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: we should do these changes behind feature flag -
Performance: -
Testing:
Implementation plan
- Update
SyncLicenseScanningRulesService
and useset_violation_data
method fromUpdateViolationsService
to store details about what caused violations:- the license names
- evaluated pipelines (
pipeline.id
andtarget_branch_pipeline.id
)
- Distinguish between
newly_detected
andpreviously_existing
ones, so that it can be provided separately in the API response and the bot comment
Verification steps
- Create a license scanning policy
- Configure
.gitlab-ci.yml
withSecurity/Dependency-Scanning.gitlab-ci.yml
template - Create MR causing violations by adding a package with a violating license into the project
- Check that
violation_data
in thescan_result_policy_violations
table contains correct data
Edited by Martin Čavoj