Link custom software license to software license policies

Marcos Rocharequested to merge
mc_rocha-save-existing-license-without-spdx-as-custom-license into master

What does this MR do and why?

This MR updates the SoftwareLicensePolicies::CreateService to find/create and link custom_software_licenses to software_license_policies when the software_license is persisted in the database without the spdx_identifier.

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Create a new project
  2. Disable the feature flag custom_software_license 
Feature.disable(:custom_software_license)
  1. Add a SoftwareLicense without spdx_identifier to the database
SoftwareLicense.create(name: 'Software License Without SPDX')
  1. Go to Secure > Policies
  2. Click on New policy
  3. Select Merge request approval policy
  4. Change to .yaml mode and create a policy using the SoftwareLicense created on step 3
type: approval_policy
name: 'policy'
description: ''
enabled: true
rules:
  - type: license_finding
    match_on_inclusion_license: true
    license_types:
      - Software License Without SPDX
    license_states:
      - newly_detected
    branch_type: protected
actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
      - developer
  - type: send_bot_message
    enabled: true
approval_settings:
  block_branch_modification: true
  prevent_pushing_and_force_pushing: true
  prevent_approval_by_author: true
  prevent_approval_by_commit_author: true
  remove_approvals_with_new_commit: true
  require_password_to_approve: false
fallback_behavior:
  fail: closed
  1. Click on Configure with a merge request
  2. Merge the new MR
  3. Verify that a CustomSoftwareLicense was created in the database
[3] pry(main)> Security::CustomSoftwareLicense.last 
  Security::CustomSoftwareLicense Load (0.9ms)  SELECT "custom_software_licenses".* FROM "custom_software_licenses" ORDER BY "custom_software_licenses"."id" DESC LIMIT 1 
=> #<Security::CustomSoftwareLicense:0x0000000324cf1df0 id: 25109, project_id: 1178, name: "Software License Without SPDX">
  1. Verify the a CustomSoftwareLicense was linked to the SoftwareLicensePolicy 
SoftwareLicensePolicy.last.custom_software_license_id
  SoftwareLicensePolicy Load (1.3ms)  SELECT "software_license_policies".* FROM "software_license_policies" ORDER BY "software_license_policies"."id" DESC LIMIT 1 
=> 25109
Edited by Marcos Rocha

Merge request reports