Adjust license scanning code to work with static license

Marcos Rocharequested to merge
mc_rocha-adjust-code-to-work-with-static-license into master

What does this MR do and why?

We want to read the license information from the Gitlab::SPDX::Catalogue and remove the Software Licenses table as proposed in this issue.

This MR adjust the to license scanning code to work with static license catalog.

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshot_2025-03-20_at_5.02.22_PM

Screenshot_2025-04-07_at_4.09.34_PM

How to set up and validate locally

  1. Enable the feature flag static_licenses using the rails console
Feature.enable(:static_licenses)
  1. Create a new project
  2. Add a .gitlab-ci.yml file with the content
include:
  - template: Security/Dependency-Scanning.gitlab-ci.yml
  1. Go to Secure > Policies
  2. Click in New policy
  3. Select Merge request approval policy
  4. Using the Rule mode
  • In Rules > When select License Scan
  • Select Newly Detected in Status is
  • Verify the License list is populated
  1. Create a policy like
approval_policy:
  - name: deny MIT License
    description: ''
    enabled: true
    rules:
      - type: license_finding
        match_on_inclusion_license: true
        license_states:
          - newly_detected
        branch_type: protected
        license_types:
          - MIT License
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - developer
      - type: send_bot_message
        enabled: true
    approval_settings:
      block_branch_modification: true
      prevent_pushing_and_force_pushing: true
      prevent_approval_by_author: true
      prevent_approval_by_commit_author: true
      remove_approvals_with_new_commit: true
      require_password_to_approve: false
    fallback_behavior:
      fail: closed
  1. Create a new MR adding an Gemfile.lock file with the content

GEM
GEM
  remote: https://rubygems.org/
  specs:
    rack (3.0.4.1)

PLATFORMS
  arm64-darwin-22

DEPENDENCIES
  rack

BUNDLED WITH
   2.4.22
  1. Verify the MR is blocked
  2. Expand the License compliance MR widget and verify the MIT License is Denied
Edited by Marcos Rocha

Merge request reports