Add license scanning violations into the policy bot comment
What does this MR do and why?
This change restructures license_scanning violation data to provide dependencies associated with the licenses and displays them in the policy bot comment. Depends on !146935 (merged).
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Only license violation | Combined with other violations |
---|---|
![]() |
![]() |
How to set up and validate locally
The verification requires licenses and package metadata to be synced. See https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/license_compliance.md for more information.
- Create a project
- In rails console, enable feature flag:
Feature.enable(:save_policy_violation_data, Project.last)
- Add CI configuration:
include: - template: Jobs/Dependency-Scanning.gitlab-ci.yml build-job: script: - echo "Compiling the code..." - echo "Compile complete."
- Add empty
requirements.txt
file - Go to Secure -> Policies and create a new policy:
type: approval_policy name: Licenses description: '' enabled: true rules: - type: license_finding match_on_inclusion: true license_types: - BSD 3-Clause "New" or "Revised" License - MIT License license_states: - newly_detected branch_type: protected actions: - type: require_approval approvals_required: 1 role_approvers: - developer
- Create MR adding a new package that would violate the policy. Example:
diff --git a/requirements.txt b/requirements.txt index 8b137891791fe96927ad78e64b0aad7bded08bdc..3ac9d3235031db76d721f145fbeb3849c5c5df54 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1 +1 @@ - +pluggy==1.1.0
- After the pipeline completes, verify that a bot comment is created and it lists
MIT
as out-of-policy license
Related to #433403 (closed)
Edited by Martin Čavoj