Skip to content

Improve license matching when evaluating policies

Martin Čavoj requested to merge 438584-ambiguous-license-names-can-cause-approvals-to-be-required into master

What does this MR do and why?

This MR improves license matching when evaluating policies. See #438584 (closed) for more context.

If a policy is created using spdx_identifier, SoftwareLicense is created using the spdx_identifier in the name:

#<SoftwareLicense:0x0000000173c1a510 id: 415, name: "MIT", spdx_identifier: nil>

In the report, we detect MIT, MIT License and when we compare for match_on_inclusion: false, we find MIT License as something not mentioned in the policy and we require approval.

This fix takes the licenses listed in the policies and cross-checks them with the licenses from the report. If we find MIT in the report, we also take MIT License from it into the comparison.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Create a project
  2. Create .gitlab-ci.yml 
    include:
  - template: Jobs/Dependency-Scanning.gitlab-ci.yml

job:
  script: echo 'test'
  3. Create requirements.txt file with testpy in it
  4. Create a policy: 
    type: approval_policy
name: Test
description: ''
enabled: true
rules:
  - type: license_finding
    match_on_inclusion: false
    license_types:
      - MIT
    license_states:
      - newly_detected
      - detected
    branch_type: protected
actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
      - developer
  5. Update README.md in MR
  6. Verify that approvals are not required
  7. Add django into requirements.txt
  8. Verify that approvals become required after the pipeline finishes

Related to #438584 (closed)

Edited by Martin Čavoj

Merge request reports