Use SoftwareLicenses catalogue to load license lists and persist spdx_identifier

Marcos Rocharequested to merge
mc_rocha-move-all_license_names-to-spdx-catalogue into master

What does this MR do and why?

We want to read the license information from the Gitlab::SPDX::Catalogue and remove the Software Licenses table as proposed in this issue.

This MR

  • Adds the all_license_names to Gitlab::SPDX::Catalogue and updates the SecurityOrchestrationHelper to load the license names from the catalog if the feature flag static_licenses is enabled.
  • Persist the software_license_spdx_identifier using the information from the ::Gitlab::SPDX::Catalogue. The software_license_spdx_identifier should be persisted even if static_licenses is disabled to prepare our database for the software_licenses table removal. It seems we missed this part in MR. We might need to run the migration in this MR again after merging this MR and before enabling the static_licenses feature flag.

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Create a new project
  2. Enable the feature flag static_licenses and disable the feature flag custom_software_license 
Feature.enable(:static_licenses)
Feature.disable(:custom_software_license)
  1. Go to Secure > Policies
  2. Click on New policy
  3. Select Merge request approval policy
  4. In Rules Select License Scanning
  5. Verify the licenses are available in Select license types.
  6. Select a license from the list and merge the policy
  7. Verify the software_license_spdx_identifier was persisted in the database
SoftwareLicensePolicy.last
 #<SoftwareLicensePolicy:0x000000031acd7478
 id: 38048,
 project_id: 1166,
 software_license_id: 25514,
 classification: "denied",
 created_at: Mon, 03 Feb 2025 17:10:13.928118000 UTC +00:00,
 updated_at: Mon, 03 Feb 2025 17:10:13.928118000 UTC +00:00,
 scan_result_policy_id: 836,
 custom_software_license_id: nil,
 approval_policy_rule_id: 144,
 software_license_spdx_identifier: "3D-Slicer-1.0">
Edited by Marcos Rocha

Merge request reports