Use License Compliance at GitLab
According to our values, we should "use our own product". Yet, while License Management has been released this year, it's still not part of our workflow, and not used at GitLab. Instead, we're doing license management by hand (https://gitlab.com/gitlab-org/gitlab-ee/blob/master/doc/development/licensing.md#automated-testing), without leveraging our tools. Also, that means we don't have any information in Merge Requests when new licenses can be introduced.
The licensing page contains a lot of useful information, and the list of approved/blacklisted licenses. Yet, it's not specified when the license must be checked, so we probably do that at the last moment, before packaging (there's a license_finder configuration file here). We should left-shift that process, as we do with security checks (https://gitlab.com/gitlab-org/gitlab-ee/issues/6236).
Some limitations of License Management are directly exposed when we compare to the current implementation:
- The page lists all approved licenses, and explains why they are approved
- The page lists all blacklisted licenses, and explains why they are blacklisted
- The page explains how to deal with new licenses
- Some dependencies can be approved/blacklisted individually (because they're used in development for example).
- We can track
who
,why
andwhen
These limitations make the migration to the licence_management job in GitLab-CE/EE .gitlab.yml
hard to achieve:
license_management:
<<: *dedicated-no-docs-no-db-pull-cache-job
image:
name: "registry.gitlab.com/gitlab-org/security-products/license-management:$CI_SERVER_VERSION_MAJOR-$CI_SERVER_VERSION_MINOR-stable"
entrypoint: [""]
allow_failure: true
tags: []
before_script: []
cache: {}
dependencies: []
script:
- /run.sh analyze .
artifacts:
reports:
license_management: gl-license-management-report.json
If we had this job to the pipeline, it will fail because we already have a version of LicenseFinder
configured in GitLab:
Using /usr/local/rvm/gems/ruby-2.5.3
Fetching: bundler-1.17.1.gem (100%)
Successfully installed bundler-1.17.1
Parsing documentation for bundler-1.17.1
Installing ri documentation for bundler-1.17.1
Done installing documentation for bundler after 4 seconds
1 gem installed
Fetching: rubyzip-1.2.2.gem (100%)
Successfully installed rubyzip-1.2.2
Fetching: thor-0.20.3.gem (100%)
Successfully installed thor-0.20.3
Fetching: parslet-1.8.2.gem (100%)
Successfully installed parslet-1.8.2
Fetching: toml-0.2.0.gem (100%)
Successfully installed toml-0.2.0
Fetching: with_env-1.1.0.gem (100%)
Successfully installed with_env-1.1.0
Fetching: xml-simple-1.1.5.gem (100%)
Successfully installed xml-simple-1.1.5
Fetching: license_finder-5.5.2.gem (100%)
Successfully installed license_finder-5.5.2
Parsing documentation for rubyzip-1.2.2
Installing ri documentation for rubyzip-1.2.2
Parsing documentation for thor-0.20.3
Installing ri documentation for thor-0.20.3
Parsing documentation for parslet-1.8.2
Installing ri documentation for parslet-1.8.2
Parsing documentation for toml-0.2.0
Installing ri documentation for toml-0.2.0
Parsing documentation for with_env-1.1.0
Installing ri documentation for with_env-1.1.0
Parsing documentation for xml-simple-1.1.5
Installing ri documentation for xml-simple-1.1.5
Parsing documentation for license_finder-5.5.2
Installing ri documentation for license_finder-5.5.2
Done installing documentation for rubyzip, thor, parslet, toml, with_env, xml-simple, license_finder after 2 seconds
7 gems installed
Could not find proper version of license_finder (5.4.0) in any of the sources
Run `bundle install` to install missing gems.
@bikebilly we should cover these limitations in &531, what do you think? I'd like to start using our feature, to get feedback from the team.
/cc @bikebilly @andyvolpe