Skip to content

Allow user to disable using the cycloneDX report as the data source for license information

Problem to solve

With User provided license information for components (&10861 - closed) we offer the ability for users to provide the license information for components using the CycloneDX SBOM report.

The feature has been implemented in a way that gives precedence to the data provided in the CycloneDX report over what could be found in the GitLab PackageMetadata Database, which is the data source usually used by the License Scanning feature.

There is currently no ability for customers to disable that behavior.

NB: the feature will be released in %17.6 behind a beta type Feature flag that is enabled by default. This means we have 6 months (%18.0) to remove it. Though, it's worth noting that a FF is only meant to disable the feature in case of important issues like scalability problems. A feature toggle also offer the granularity of disabling the feature on per project basis for each user.

Proposal

Add a setting to the Security Configuration page to allow users to adjust the behavior. This could be done in different ways:

  1. Enable/Disable the feature (enabled by default)
  2. Change precedence order (PMDB vs CycloneDX report)

The first approach is probably easier to implement.

Implementation plan

  1. backend Add a new smallint /enum based column (see this thread), cyclonedx_based_policies into project_settings defaulted to PMDB.
  2. backend Update package license logic to consider project_settings.cyclonedx_based_policies when categorising components.
  3. backend Add cyclonedx_based_policies as part of the configuration presenter:
    • Adding cyclonedx_based_policies with its respective value project_settings.cyclonedx_based_policies into the feature list.
    • Add a new object with information (name, description, type) that will be displayed in the UI within the existing Features.data.
    • Add cyclonedx_based_policies within ULTIMATE_FEATURES.
  4. backend Add a graphql mutation endpoint that will support the update of project_settings.cyclonedx_based_policies
  5. frontend Add custom feature card to cyclonedx_based_policies by updating getComponentName and adding a new file to implement its feature card. This will include a call to the graphql mutation described above.

Screenshot of the proposal

Screenshot_2025-05-12_at_14.55.18

Edited by Zamir Martins