Skip to content

Enhance license dependency equality

Philip Cunninghamrequested to merge
philipcunningham-enhance-dependency-equality-390027 into master

What does this MR do and why?

whilst working on Implement License Scanning SBOM scanner, we discovered that the backend cannot accurately track licenses of project dependencies that share the same package name but have different package types, or different package versions. this merge request extends #eql? and #hash to allow for these cases to be handled.

#390027 (closed)

Screenshots or screen recordings

before and after

Before

image

After

image

How to set up and validate locally

  1. create a gl-license-scanning-report.json file with the following contents:

    {
  "version": "2.1",
  "licenses": [
    {
      "id": "MIT",
      "name": "MIT License",
      "url": "https://opensource.org/licenses/MIT"
    }
  ],
  "dependencies": [
    {
      "name": "yargs-parser",
      "version": "1.2.3",
      "package_manager": "bundler",
      "path": "Gemfile.lock",
      "licenses": [
        "MIT"
      ]
    }
  ]
}

  2. create another file named gl-license-scanning-report-2.json file with the following contents:

    {
  "version": "2.1",
  "licenses": [
    {
      "id": "MIT",
      "name": "MIT License",
      "url": "https://opensource.org/licenses/MIT"
    }
  ],
  "dependencies": [
    {
      "name": "another-package",
      "version": "2.3.4",
      "package_manager": "npm",
      "path": "package.lock",
      "licenses": [
        "MIT"
      ]
    }
  ]
}

  3. create a .gitlab-ci.yml with two jobs which reference the above two license scanning reports:

    job 1:
  script:
    - echo "test"
  artifacts:
    reports:
      license_scanning:
        - gl-license-scanning-report.json

job 2:
  script:
    - echo "test"
  artifacts:
    reports:
      license_scanning:
        - gl-license-scanning-report-2.json

  4. commit all the above files and wait for the pipeline to finish.

  5. go to Security and Compliance > License scanning.

  6. notice that both packages another-package (2.3.4) and yargs-parser (1.2.3) show up in the license list:

  7. update the gl-license-scanning-report-2.json file that you created in step 2. above and change "name": "another-package" to "name": "yargs-parser", to introduce a collision with the instance of "name": "yargs-parser" in gl-license-scanning-report.json:

    {
  "version": "2.1",
  "licenses": [
    {
      "id": "MIT",
      "name": "MIT License",
      "url": "https://opensource.org/licenses/MIT"
    }
  ],
  "dependencies": [
    {
      "name": "yargs-parser",
      "version": "2.3.4",
      "package_manager": "npm",
      "path": "package.lock",
      "licenses": [
        "MIT"
      ]
    }
  ]
}

  8. commit the above change and wait for the pipeline to finish.

  9. go to Security and Compliance > License scanning.

  10. notice that both instances of yargs-parser now shows up in the license compliance list.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Philip Cunningham

Merge request reports