Skip to content

Add license scanning violations into the policy bot comment

Martin Čavoj requested to merge 433403-extend-policy-bot-comment-with-violation-data-3 into master

What does this MR do and why?

This change restructures license_scanning violation data to provide dependencies associated with the licenses and displays them in the policy bot comment. Depends on !146935 (merged).

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Only license violation Combined with other violations
CleanShot_2024-03-21_at_15.06.29_2x CleanShot_2024-03-21_at_15.08.31_2x

How to set up and validate locally

The verification requires licenses and package metadata to be synced. See https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/license_compliance.md for more information.

  1. Create a project
  2. In rails console, enable feature flag: 
    Feature.enable(:save_policy_violation_data, Project.last)
  3. Add CI configuration: 
    include:
  - template: Jobs/Dependency-Scanning.gitlab-ci.yml

build-job:
  script:
    - echo "Compiling the code..."
    - echo "Compile complete."
  4. Add empty requirements.txt file
  5. Go to Secure -> Policies and create a new policy: 
    type: approval_policy
name: Licenses
description: ''
enabled: true
rules:
  - type: license_finding
    match_on_inclusion: true
    license_types:
      - BSD 3-Clause "New" or "Revised" License
      - MIT License
    license_states:
      - newly_detected
    branch_type: protected
actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
      - developer
  6. Create MR adding a new package that would violate the policy. Example: 
    diff --git a/requirements.txt b/requirements.txt
index 8b137891791fe96927ad78e64b0aad7bded08bdc..3ac9d3235031db76d721f145fbeb3849c5c5df54 100644
--- a/requirements.txt
  +++ b/requirements.txt
  @@ -1 +1 @@
-
  +pluggy==1.1.0
  7. After the pipeline completes, verify that a bot comment is created and it lists MIT as out-of-policy license

Related to #433403 (closed)

Edited by Martin Čavoj

Merge request reports