Add License information to the Dependency List based on current license rules
Problem to solve
The Bill Of Materials (BOM) lists all the dependencies in a project.
One of the relevant information people are interested in for this view is the license status for each dependency. In this way, they can easily check (and prove to Compliance) that the app doesn't contain any forbidden component.
We already have License Management results available. We should link this information in the BOM view.
- Delaney, Development Team Lead
Add a new column to the BOM with the license information for each given dependency, if available.
Each dependency will report its license. We can also add the status based on the license rules set for the project.
What data points are anchored? License name(s) anchor to
url, which contain license documentation. The
url is a data point we include in the MR license check section (see example: gitlab-examples/security/security-reports!15 - click the license name). In the case of the license name in the table: if the
url to documentation is available we link the license name directly to it. The license name is only linked if the
url documentation is available.
Permissions and Security
Permissions to see the licenses allow everyone to see that. Permissions to see license status should be consistent with permissions of the same information in the merge request widget.
We need to document which information is available and explain the possible values.
We can also crosslink this from the License Management documentation.
What does success look like, and how can we measure that?
Number of page views for the BOM.