Approval policy no match licence finding
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Release notes
We have a policy document within our company listing allowed and disallowed licences within our SBOMs. Its quite simple to add a Gitlab approval policy based on this document for disallowed licences but in cases where a licence is detected and is unknown in our document/policy we have no ability to report this finding for discussion within Legal/Compliance without affecting the development cycle.
In cases where no licences are found, our policy currently fails open to allow the development to continue.
Problem to solve
Untrackable licences used that are undefined in the policy.
Intended users
Cyber, Legal
User experience goal
End user developer should not need to change\apply anything and should be able to continue as normal.
Proposal
The apply policy will include the scan and the enforcement policy will class any licences found that arent defined as such (undefined) and then report/notify according to the actions defined in the rule but not class the rule as breached. This then allows the developer to continue whilst the appropriate departments can review and decide on the actions to apply to the licence found.
I think this would probably need a policy level feature as all licence finding rules would need to be considered, i.e. it would need at least one of each match_on_inclusion_license true/false but due to the match_on_inclusion_license false rules they would always breach when an unknown licence was found.
Further details
- name: 'Allowed licences'
description: 'The licences defined as allow in companies policies'
enabled: true
rules:
- type: license_finding
branch_type: protected
match_on_inclusion_license: false
license_types:
- Common Development and Distribution License 1.0
license_states:
- newly_detected
- detected
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- owner
approval_settings:
block_branch_modification: true
prevent_pushing_and_force_pushing: true
prevent_approval_by_author: true
prevent_approval_by_commit_author: true
remove_approvals_with_new_commit: true
require_password_to_approve: false
fallback_behavior:
fail: open # In case no licences are detected
- name: 'Denied licences'
description: 'Licences explicitly denied in the companies policies'
enabled: true
rules:
- type: license_finding
branch_type: protected
match_on_inclusion_license: true
license_types:
- Beerware License
license_states:
- newly_detected
- detected
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- owner
approval_settings:
block_branch_modification: true
prevent_pushing_and_force_pushing: true
prevent_approval_by_author: true
prevent_approval_by_commit_author: true
remove_approvals_with_new_commit: true
require_password_to_approve: false
fallback_behavior:
fail: open # In case no licences are detectedIn the above configuration, if Netscape Public License v1.0 is found, this feature request would want that as a notification (as it doesnt appear in any license_finding rule) but allow the developer to continue without a breach. With this configuration though, the allow rules would breach so the feature would need to control that.
Permissions and Security
This does not change.
Documentation
The documentation would reflect the policy level feature