Skip to content

Add custom license to license widget

What does this MR do and why?

Add custom license to license widget

Related to #478519

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Enable the custom_software_license, and license_scanning_with_sbom_licenses feature flags on the rails console
Feature.enable(:custom_software_license)
Feature.enable(:license_scanning_with_sbom_licenses)
  1. Create a new project
  2. Go to Secure > Policies
  3. Click in New policy
  4. Select Merge request approval policy
  5. Create a policy like:

Something like:

type: approval_policy
name: test custom license
description: ''
enabled: true
rules:
  - type: license_finding
    match_on_inclusion_license: true
    license_types:
      - Custom-License
    license_states:
      - detected
    branch_type: protected
actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
      - developer
  - type: send_bot_message
    enabled: true
approval_settings:
  block_branch_modification: false
  prevent_pushing_and_force_pushing: false
  prevent_approval_by_author: false
  prevent_approval_by_commit_author: false
  remove_approvals_with_new_commit: false
  require_password_to_approve: false
fallback_behavior:
  fail: closed
  1. Add a .gitlab-ci.yml with the content
include:
  - template: Jobs/Dependency-Scanning.gitlab-ci.yml

gemnasium-dependency_scanning:
  stage: test
  script: 'pwd'
  artifacts:
    reports:
      cyclonedx: gl-sbom-gem-bundler.cdx.json
  1. Add an empty Gemfile.lock file
  2. Add a file called gl-sbom-gem-bundler.cdx.json with the content
{
    "bomFormat": "CycloneDX",
    "specVersion": "1.4",
    "serialNumber": "urn:uuid:a15e529c-2113-4a11-a694-6bc3ea4e2b53",
    "version": 1,
    "metadata": {
        "timestamp": "2022-02-23T08:02:39Z",
        "tools": [
            {
                "vendor": "GitLab",
                "name": "Gemnasium",
                "version": "2.34.0"
            }
        ],
        "authors": [
            {
                "name": "GitLab",
                "email": "support@gitlab.com"
            }
        ],
        "properties": [
            {
                "name": "gitlab:dependency_scanning:input_file:path",
                "value": "Gemfile.lock"
            },
            {
                "name": "gitlab:dependency_scanning:package_manager:name",
                "value": "bundler"
            },
            {
                "name": "gitlab:meta:schema_version",
                "value": "1"
            }
        ]
    },
    "components": [
        {
            "name": "sidekiq",
            "version": "4.2.10",
            "purl": "pkg:gem/sidekiq@4.2.10",
            "type": "library",
            "bom-ref": "pkg:gem/sidekiq@4.2.10",
            "licenses": [
                {
                    "license": {
                        "name": "Custom-License"
                    }
                }
            ]
        }
    ]
}
  1. Run a pipeline

  2. Verify the new license in the licenses tab

  3. Click in Manage Licenses and verify the dependency has the new License

  4. Create a new merge request 16 Verify the MR is blocked and requires approval

Edited by Marcos Rocha

Merge request reports

Loading