License compliance merge request widget incorrectly lists approved licenses as denied

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Summary

The MR widget can list approved licenses as denied, and mention that an approval is needed when this is not true. This is a confusing and incorrect behavior that can lead to developers tracking down an unneeded approval.

Might be related to #448576

Steps to reproduce

  1. Add license policy to project
  2. Ensure project is using merge trains and merge pipelines
  3. Add dependencies with approved licenses to the main branch
  4. Open MR, but do not change dependencies, and observe discrepancy in widget and pipeline tab.

Example Project

Exclude test sbom artifacts (gitlab-org/security-products/analyzers/dependency-scanning!41 - merged)

What is the current bug behavior?

The MR widget shows the licenses as denied The pipeline tab shows the licenses as approved

What is the expected correct behavior?

The MR widget shows the licenses as approved The pipeline tab shows the licenses as approved

Relevant logs and/or screenshots

screenshot of the widget displaying approved licenses as denied screenshot of the pipeline tab displaying approved licenses as approved

Output of checks

Results of GitLab environment info

Verified in 17.4 and appears on GitLab.com.

Possible fixes

TBD

Edited by 🤖 GitLab Bot 🤖