Detect opensource software in project
Problem to solve
Some proprietary project may embed open-source code, as vendored libraries, or portions of external projects. Enterprises need a way to spot open-source components, or fractions of these components, in their source code.
Intended users
- Delaney, Development Team Lead, https://design.gitlab.com/research/personas#persona-delaney
- Sasha, Software Developer, https://design.gitlab.com/research/personas#persona-sasha
Further details
Currently, ~"dependency scanning" is only able to report declared dependencies. We have an issue open to improve the detection, and spot vendored dependencies, but it's not enough. Having just a portion (like a single file, or even some portions of this file) can have an impact on the project, and eventually the company itself. To limit legal liabilities, these companies should be able to spot open-source software in all its form in their source code.
Proposal
I don't have a solution in mind for now, this issue is being created as a holder for further discussions on the topic. Even keeping a signature for every single file out there would not be enough, as the file could be altered to keep only the necessary portions. A better way to handle this is maybe to store for every opensource project a signature of the functions used (name, target, parameters). It's likely that copied code will keep the name of functions as it. This would represent a huge amount of data, which would be a problem with air-gapped networks
Ideally, when the pipeline is running, our detection system would report dependencies in the Dependency List, including portions of detected opensource code with a warning. It could be part of the license management section too. To be discussed.
Permissions and Security
TODO
Documentation
Testing
What does success look like, and how can we measure that?
Users detect license issues that were not caught by license management before.
What is the type of buyer?
Executive