Use CycloneDX SBOMs licenses in license scanner
What does this MR do and why?
This MR updates our code to use CycloneDX SBOMs licenses in license scanner as described here.
Relate to: #415935
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
- Enable the
license_scanning_with_sbom_licenses
feature flag on the rails console - Create a new project
- Add a
.gitlab-ci.yml
with the content
include:
- template: Jobs/Dependency-Scanning.gitlab-ci.yml
gemnasium-dependency_scanning:
stage: test
script: 'pwd'
artifacts:
reports:
cyclonedx: gl-sbom-gem-bundler.cdx.json
- Add an empty Gemfile.lock file
- Add a file called
gl-sbom-gem-bundler.cdx.json
with the content
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:a15e529c-2113-4a11-a694-6bc3ea4e2b53",
"version": 1,
"metadata": {
"timestamp": "2022-02-23T08:02:39Z",
"tools": [
{
"vendor": "GitLab",
"name": "Gemnasium",
"version": "2.34.0"
}
],
"authors": [
{
"name": "GitLab",
"email": "support@gitlab.com"
}
],
"properties": [
{
"name": "gitlab:dependency_scanning:input_file:path",
"value": "Gemfile.lock"
},
{
"name": "gitlab:dependency_scanning:package_manager:name",
"value": "bundler"
},
{
"name": "gitlab:meta:schema_version",
"value": "1"
}
]
},
"components": [
{
"name": "sidekiq",
"version": "4.2.10",
"purl": "pkg:gem/sidekiq@4.2.10",
"type": "library",
"bom-ref": "pkg:gem/sidekiq@4.2.10",
"licenses": [
{
"license": {
"name": "Custom-License"
}
}
]
},
{
"name": "activesupport",
"version": "5.1.4",
"purl": "pkg:gem/activesupport@5.1.4",
"type": "library",
"bom-ref": "pkg:gem/activesupport@5.1.4"
}
]
}
- Go to Build > Pipelines
- Click on the last pipeline
- Click on the Licenses tab
- Click in Manage Licenses and verify the dependency
sidekiq
has theCustom-License
License defined in the Sbom report and theactivesupport
has theMIT License
license defined in license database
Edited by Marcos Rocha