Enhance License Compliance: Highlight and Resolve Conflicting Licenses in Transitive Dependencies

Summary

Improve GitLab's license compliance feature by providing better visibility, actionable guidance, and collaboration tools for addressing conflicting licenses in transitive dependencies.

Background

GitLab currently offers robust License Compliance and Dependency Scanning capabilities. These features enforce policies and scan both direct and transitive dependencies for vulnerabilities. However, there is an opportunity to enhance the experience when handling scenarios where transitive dependencies introduce conflicting licenses that may not align with the project's licensing policies.

Current State

• License Compliance: Enforces policies to block merge requests introducing disallowed licenses.
• Dependency Scanning: Scans for direct and transitive dependencies, including license and vulnerability details.

Problem Statement

While GitLab can detect and block disallowed licenses, it lacks the following:

1. Identify and prioritize license conflicts introduced by transitive dependencies.
2. Actionable recommendations to resolve these conflicts effectively.

Proposal

1. Enhanced Conflict Reporting

• Clearly highlight transitive dependencies with incompatible licenses in the Dependency List and Pipeline Security.
• Provide a clear path to the root cause (e.g., show which direct dependency introduced the problematic transitive dependency

2. Actionable Guidance for Conflict Resolution

• Offer specific recommendations for resolving license conflicts, such as:
  • Suggested alternative dependencies with compatible licenses.
  • Steps for mitigating the risks of using conflicting licenses (e.g., creating an exception request or isolating the dependency).

3. Collaboration Features

• Enable teams to create GitLab issues directly from flagged license conflicts, pre-filled with relevant information (dependency tree, licenses, policies).
• Allow comments and discussions on flagged conflicts directly in the Pipeline Security, fostering collaboration between compliance and engineering teams.

4. Policy Expansion for Transitive Dependencies

• Extend License Compliance policies to include specific rules for managing transitive dependency conflicts.
• Provide fine-grained policy settings, such as exceptions for specific dependency paths or license types.

Benefits

• Improve developer productivity with clear conflict resolution paths.
• Strengthen compliance by providing actionable insights into transitive dependency license issues.
• Foster collaboration between teams to reduce the time and effort required for conflict resolution.
• Minimize legal and operational risks from unintentional inclusion of incompatible licenses.

Implementation Considerations

• Integration with existing Dependency Scanning and License Compliance features.
• Ensure performance optimization to handle deeper dependency analysis.
• Update policy configuration UI to support transitive dependency rules.

Success Metrics

• Reduction in time spent resolving license conflicts.
• Decrease in unresolved license conflicts across projects.
• Increased usage of License Compliance and related features for addressing transitive dependencies.