Match and display policies to licenses that are already detected in a project
### Problem to solve Problem: there is no clear way to tell if licenses detected in the project are in compliance with the policies defined. Context: this issue is based on discovery work done in https://gitlab.com/gitlab-org/gitlab-ee/issues/12941 and is a follow up to https://gitlab.com/gitlab-org/gitlab/issues/14061. Users can see licenses in a project (per scanning) and policies (per admin classifying license) separately, but not how they relate to each other. For example, in the policies section, a user may see that an LPL 1.2 license is denied, but if that same license is detected in a project, the user wouldn't know it's denied unless matching the lists (detected/policy) manually. :film_projector: [view walkthrough with context and iteration](https://youtu.be/Qg7FmoBCDbw) ### Intended users * [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#delaney-development-team-lead) * [Sasha (Software Developer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sasha-software-developer) * [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst)\ * Legal and/or person responsible for orgs compliance ### Further details ##### Job's to be done * *User that is responsible for compliance:* When my organization has policies with licenses, I want to be aware of my companies policies, so I can make sure my project licenses are in compliance with my orgs compliance. * *User that is accountable for compliance:* When I need to enforce our organization's licenses restrictions, I want to be able to view them and define policies, so that I can ensure a project's compliance. ### Proposal ideation If policies have been created for a project, match them if/when to license that exist in a project. Display the matching license classification policies in the "detected in project" list. ##### Iteration iv: UX ready for development ![uxready](/uploads/45f8094724e1192af97aa76cbe3b28bd/uxready.png) <details><summary>iteration iii</summary> ![all](/uploads/75e9bd9468d342f669e6634093c228a0/all.png) * Likes version ii, surfacing licenses to the top * Banner is helpful; but update copy to present tense * Consider version iii later </details> <details><summary>iteration ii</summary> ![all1](/uploads/b5026aba1aeb42b207a3428ae22d1a4f/all1.png) Iteration ii feedback from [UX team review](https://docs.google.com/document/d/1xwwLHLq1fW0_6tegt54n1DZseZ_IAIC0-M95n01tCs0/edit?usp=sharing) and [SCA team review](https://docs.google.com/document/d/1nmNKkWS9qmEidsqWswFZzKAQL9YVCFRitQxow5C9pbY/edit?usp=sharing): * Consider creating additional columns for the violation * Better display why a license is being surfaced * Explore using the blue and/or green value for the background * There may be labels with text and icon in the library to use for `policy violation` * Let’s look at how to identify where/when this was found to show later. Related: [audit log](https://gitlab.com/gitlab-org/gitlab/issues/199228) or maybe can leverage `git-blame`. * Need to solve the problem of finding the particular dependency correlated with MR * Ideally we’d have the info for all the dependencies name/version and would know the MR where it has been introduced </details> <details><summary>old iteration: scoped down</summary> | Developer UI (*design updated in progress*) | | ------ | | ![developer](/uploads/0ae59c6be649183a35b7ff31de4bc227/developer.png) | | Developer UI | Maintainer UI | | ------ | ------ | | ![developer](/uploads/0ae59c6be649183a35b7ff31de4bc227/developer.png) | ![maintainer](/uploads/e0a0bf72488f09f7ac541ee217545d19/maintainer.png) | * due to de-prioritization de-scoped, removed user ability to add policy to existing license </details> ### Permissions and Security * Developers view may view policies, but can't adjust them * Public projects policy section is not visible to non-project participants (https://gitlab.com/gitlab-org/gitlab/issues/33659) ### Documentation .. ### Testing ToDo <!-- What risks does this change pose? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing? See the test engineering process for further help: https://about.gitlab.com/handbook/engineering/quality/test-engineering/ --> ### What does success look like, and how can we measure that? * Developer lands on the page and can determine if there are denied licenses that exists in the project ### What is the type of buyer? Ultimate ### Links / references * https://gitlab.com/gitlab-org/gitlab/issues/12941 ### Implementation Plan #### Backend * [x] Combine licenses from the latest scan report with the policies configured for the project. * [x] Serve the combined licenses from the `/projects/-/licenses.json` endpoint. * [ ] Add `order_by` filter to sort by `classification`. https://gitlab.com/gitlab-org/gitlab/-/issues/213592 ### UX * [ ] []() ### Frontend - person * [ ] []() ### Documentation - person * [ ] [User Documentation]() ### Product Management - @NicoleSchwartz * [ ] [Release Post]()
issue