Ambiguous license names can cause approvals to be required
Summary
For certain licenses, there are multiple names to choose from and it's unclear which are supposed to be selected for the license scanning to work correctly.
For example, for MIT
licenses, should user choose MIT
or MIT License
?
The main points of confusion are:
- Why are there multiple "flavors" of this license in the dropdown?
- Why do both show as
allowed
in the MR widget, while one is permitted by the policy and one not? - Are there other licenses that can cause confusion?
Steps to reproduce
I tried to recreate a confusing scenario in this MR.
Example policy:
type: scan_result_policy
name: Test
description: ''
enabled: true
rules:
- type: license_finding
match_on_inclusion: false
license_types:
- MIT
license_states:
- newly_detected
- detected
branch_type: protected
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- developer
approval_settings:
block_branch_modification: true
prevent_pushing_and_force_pushing: false
Previously existing licenses
With this policy and testpy
in my requirements.txt
file, I get violation because testpy
is evaluated to be using MIT License
and the approvals are required:
The confusing part is that MIT
is shown as allowed under Pipeline -> Licenses tab:
If we change the license in the policy to MIT License
, the Pipeline -> Licenses tab shows MIT License
as allowed again:
The difference is that the MR is not blocked:
Newly detected licenses
The situation for new licenses is also confusing, the widget is showing MIT
as allowed, although the approvals are required, because it actually expects MIT License
.
If we switch the policy to MIT License
, the widget looks the same, but MR gets unblocked: