License Policy Inconsistencies between the License MR widget and the MR approval license policies

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Collaborate/take over this issue

Summary

The customer set up a Pipeline Execution Policy to run dependency scanning with every pipeline. They also set up a Merge Request Approval Policy to flag any out of policy licenses (any license that is not MIT). They are experiencing inconsistencies between the Merge Request widget and the GitLab Security Bot when evaluating license policy compliance. The MIT License is incorrectly shown as an out-of-policy license in the MR widget despite being explicitly configured as allowed in the license policy. The Security Bot correctly identifies only three out-of-policy licenses (excluding MIT), while the MR widget incorrectly shows four licenses (including MIT) as violations. However, this does not always happen.

Steps to reproduce

• Configure a group-level Pipeline Execution Policy which should always trigger the dependency scanning job for every merge request
• Configure a group-level Merge Request Approval Policy that should flag all licenses except the MIT License
• Create a project that inherits this policy via the configured pipeline execution policy
• Create a merge request in the project that contains dependencies with various licenses including MIT
• Observe that the dependency scanning job runs automatically
• Review the Merge Request widget which incorrectly shows MIT as a policy violation
• Compare with the GitLab Security Bot comment which correctly shows only violations excluding MIT

Merge Request Approval Policy configuration:

rules:
  - type: license_finding
    match_on_inclusion_license: false
    license_types:
      - MIT License
    license_states:
      - newly_detected
      - detected

Example Project

See this RFH issue internal only): https://gitlab.com/gitlab-com/request-for-help/-/issues/2823

What is the current bug behavior?

• The Merge Request widget incorrectly shows MIT License as out of compliance (4 total violations)
• The GitLab Security Bot correctly shows only 3 out-of-policy licenses (excluding MIT)
• This inconsistency doesn't happen on every merge request, but occurs frequently enough to cause confusion

What is the expected correct behavior?

Both the Merge Request widget and the GitLab Security Bot should consistently show the same license policy violations. The MIT License should not be flagged as a violation since it is explicitly configured as allowed in the license policy.

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes

We have 2 places where we check the license violations for an MR:

• Sca::LicenseCompliance which is called from the MR widget
• Security::ScanResultPolicies::LicenseViolationChecker which is called by MR approval policy after a pipeline is complete

Those 2 logic seem to behave inconsistently when there is no target branch pipeline. W should refactor them and have a single place to get the license violations for an MR.