Add Annotation Option for Ingested License Data in GitLab License Compliance

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Description

We would like to have a way to optimizing our license management within the GitLab security dependency scanning. The goal is to enhance the visibility and management of commercial licenses within self-managed GitLab instance. Specifically, we aim to annotate the license data ingested by GitLab with additional information regarding Company X commercial licenses.

Current Situation:

• The current GitLab setup does not allow for customization or annotation of the license data fetched by the package_metadata_licenses_sync cronjob.
• Our internal process involves using a script (following GitLab's documentation) to manually retrieve license data and store it in the vendor/package_metadata/licenses directory structure.
• We are looking to automate this script as a standardized process and integrate it with GitLab's License Compliance feature.
• Some licenses used by Paysafe are currently categorized as 'unknown' in the GitLab License Compliance UI. We aim to update this to display these licenses as 'Company X' licenses for better clarity and management.

Feature Request

• Annotation of License Data: Ability to annotate or tag license data that is ingested into GitLab, particularly for licenses that are categorized as 'unknown'. This annotation should allow us to label certain licenses as 'Company X' or with other relevant tags that indicate their status as commercial licenses.

• Customization of License Fetching Process: Enable customization of the package_metadata_licenses_sync cronjob to allow integration with our internal license management processes. This should include the ability to add conditions to the license fetching process, such as checking if Company X has a paid commercial license for a particular dependency.

• Enhanced UI Display for License Compliance: Improve the License Compliance UI to reflect the custom annotations and tags, providing clearer visibility and management of commercial licenses. This would involve displaying the custom annotations in the UI, allowing users to easily identify and manage Company X commercial licenses and their expiration date.

Impact

This feature would significantly improve our ability to manage and track commercial licenses within our GitLab instance. It would provide greater clarity in the License Compliance UI and ensure better alignment with our internal license management processes.

PS: For additional information pls refer to support ticket https://gitlab.zendesk.com/agent/tickets/490801