Backfill SPDX identifiers in software_licenses table
What does this MR do?
This MR adds the
spdx_identifier to the
software_licenses table. The
spdx_identifier originates from the SPDX database. By storing the
spdx_identifer we can improve how we detect software license violations. SPDX is an open standard for communicating software bill of material information including license names and identifiers.
Today we perform a case insensitive match against the name of the license. This has proved to not be dependable because a software license can have multiple names. V2 of the license management report has been released and includes the
SPDX identifier for each detected license. This MR benefits us because we can now work towards performing a diff based on a license identifier which is not likely to change rather than a name, which is likely to be inconsistent as demonstrated here.
This MR also seeds the
software_licenses table with all licenses described in the SPDX index. This provides an opportunity for our customers to classify any license before detection rather than depending on user entered license names to provide that information.
Does this MR meet the acceptance criteria?
- Changelog entry
- [-] Documentation created/updated or follow-up review issue created
- Code review guidelines
- Merge request performance guidelines
- Style guides
- Database guides
- Separation of EE specific content
Performance and Testing
- Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
- [-] Tested in all supported browsers
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
- [-] Label as security and @ mention
- [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
- [-] Security reports checked/validated by a reviewer from the AppSec team