Persist license policy violations data
What does this MR do and why?
This MR refactors and extends SyncLicenseScanningRulesService
to persist violated license names.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Create a project
- In rails console, enable feature flag:
Feature.enable(:save_policy_violation_data, Project.last)
- Add CI configuration:
include: - template: Jobs/Dependency-Scanning.gitlab-ci.yml build-job: script: - echo "Compiling the code..." - echo "Compile complete."
- Add empty
requirements.txt
file - Go to Secure -> Policies and create a new policy:
type: approval_policy name: Licenses description: '' enabled: true rules: - type: license_finding match_on_inclusion: true license_types: - BSD 3-Clause "New" or "Revised" License - GNU Lesser General Public License v3.0 or later - MIT License license_states: - newly_detected branch_type: protected actions: - type: require_approval approvals_required: 1 role_approvers: - developer
- Create MR adding a new package that would violate the policy. Example:
diff --git a/requirements.txt b/requirements.txt index 8b137891791fe96927ad78e64b0aad7bded08bdc..3ac9d3235031db76d721f145fbeb3849c5c5df54 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1 +1 @@ - +pluggy==1.1.0
- After the pipeline completes, verify that jobs pass, artifacts are present and approvals are required
- In rails console, check that
violations_data
have been persisted (e.g.{"violations"=>{"licenses"=>["MIT License"]}}
):MergeRequest.last.scan_result_policy_violations
Related to #433401 (closed)
Edited by Martin Čavoj