License Approval Policies
<!-- The first section "Release notes" is required if you want to have your release post blog MR auto generated. Currently in BETA, details on the \\\\\\\*\\\\\\\*release post item generator\\\\\\\*\\\\\\\* can be found in the handbook: https://about.gitlab.com/handbook/marketing/blog/release-posts/#release-post-item-generator and this video: https://www.youtube.com/watch?v=rfn9ebgTwKg. The next four sections: "Problem to solve", "Intended users", "User experience goal", and "Proposal", are strongly recommended in your first draft, while the rest of the sections can be filled out during the problem validation or breakdown phase. However, keep in mind that providing complete and relevant information early helps our product team validate the problem and start working on a solution. --> ### Release notes <!-- What is the problem and solution you're proposing? This content sets the overall vision for the feature and serves as the release notes that will populate in various places, including the \\\\\\\[release post blog\\\\\\\](https://about.gitlab.com/releases/categories/releases/) and \\\\\\\[Gitlab project releases\\\\\\\](https://gitlab.com/gitlab-org/gitlab/-/releases). " --> ### Problem to solve <!-- What problem do we solve? Try to define the who/what/why of the opportunity as a user story. For example, "As a (who), I want (what), so I can (why/value)." --> Security and Compliance teams would like to manage both their Security Approval Policies and their License Approval Policies centrally. Additionally, managing these rules as policies will allow for the following benefits: - Separation of duties between developers and security/compliance teams - Full audit history of all policy changes - Ability to require approval for any policy changes - Ability to provide more granular approval rules - Ability to manage policies at the group and sub-group levels ### Intended users * [Devon (DevOps Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#devon-devops-engineer) * [Sidney (Systems Administrator)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sidney-systems-administrator) * [Sam (Security Analyst)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst) * [Alex (Security Operations Engineer)](https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#alex-security-operations-engineer) ### User experience: Design | First Run | License scanning selected | License syntax details | |-----------|---------------------------|------------------------| | ![Policy_Scan-result_License-Policy_first-run](/uploads/73aec691fa488b1182a63384ecda1c50/Policy_Scan-result_License-Policy_first-run.png) | ![Policy_Scan-result_License-Policy](/uploads/5e52efceb21189fe5537645c684af9f1/Policy_Scan-result_License-Policy.png) | ![Selection_detail](/uploads/1a90d147e7ac74b3816ffae6583975a6/Selection_detail.png) | #### Inform the user about the change. | In settings area | In project landing page | |------------------|-------------------------| | ![settings-message](/uploads/dd9c316a4f9cb8d72d342d109e30447b/settings-message.png) | ![landing_page-message](/uploads/4aa4521a93b7892b04a8685fa6170bf5/landing_page-message.png) | #### Copy Changes On `Step 1` Policy selection screen: Scan result policy paragraph text Use a scan result policy to create rules that {-ensure security issues are checked-}{+check for security vulnerabilities and license compliance+} before merging a merge request. ### Proposal <!-- How are we going to solve the problem? Try to include the user journey! https://about.gitlab.com/handbook/journeys/#user-journey --> 1. Scan result policies will be extended to support license approval policies in addition to security approval policies 2. A new option in the rule portion of the policy will allow users to define conditions where a license might require approval for an MR 3. The `newly_detected` state, will trigger anytime either a new package is being introduced or when a new license for an existing package is detected. 1. Note: This will allow users to require approval anytime a new dependency is introduced (even if it does not violate a license policy) (see [this request](https://gitlab.com/gitlab-org/gitlab/-/issues/356809#note_931155521 "🎨 Design: Scanner-specific criteria in scan result policies") for use case and context) - also see https://gitlab.com/gitlab-org/gitlab/-/issues/14818 2. Note: This will also allow us to address use cases such as is described in https://gitlab.com/gitlab-com/account-management/emea/walkme/-/issues/49#note_1076460797 4. The MR Widget for License Compliance and Licence tab in Pipeline view will not be changed. The only change that would be visible is that unknown licenses (not specified in the policy) are triggering approvals. 5. We have metric that allows us to verify that is the total number of projects/merge requests/authors of merge requests with at least one scan result policy with license check. #### From https://gitlab.com/gitlab-org/gitlab/-/issues/385608#note_1215030741: > When we check whether or not a policy requires approval, we consider the sum of all the policies. If any one of the policies requires approval for a license, then the MR overall requires approval. I believe we should do the same thing for the License Compliance widget. > > * Licenses should be marked as `Denied` if any one of the policies (either License Approval or `license-check` does not allow that license). > * Licenses should be marked as `Approved` only if both of the following conditions are met: > * they are not already marked as `Denied` > * they are explicitly marked as `Approved` in the License Compliance -> Policies page **OR** they are part of a License Approval policy where they are specifically named in an `except` clause > * ![image](https://gitlab.com/gitlab-org/gitlab/uploads/29d45b12561dd6b451981ac745a70202/image.png) > * All other licenses should be marked as `Uncategorized` only if they do not meet the criteria for either `Approved` or `Denied` ### Further details <!-- Include use cases, benefits, goals, or any other details that will help us understand the problem better. --> ### Permissions and Security <!-- What permissions are required to perform the described actions? Are they consistent with the existing permissions as documented for users, groups, and projects as appropriate? Is the proposed behavior consistent between the UI, API, and other access methods (e.g. email replies)? Consider adding checkboxes and expectations of users with certain levels of membership https://docs.gitlab.com/ee/user/permissions.html \\\\\\\* \\\\\\\[ \\\\\\\] Add expected impact to members with no access (0) \\\\\\\* \\\\\\\[ \\\\\\\] Add expected impact to Guest (10) members \\\\\\\* \\\\\\\[ \\\\\\\] Add expected impact to Reporter (20) members \\\\\\\* \\\\\\\[ \\\\\\\] Add expected impact to Developer (30) members \\\\\\\* \\\\\\\[ \\\\\\\] Add expected impact to Maintainer (40) members \\\\\\\* \\\\\\\[ \\\\\\\] Add expected impact to Owner (50) members --> ### Documentation <!-- See the Feature Change Documentation Workflow https://docs.gitlab.com/ee/development/documentation/workflow.html#for-a-product-change \\\\\\\* Add all known Documentation Requirements in this section. See https://docs.gitlab.com/ee/development/documentation/feature-change-workflow.html#documentation-requirements \\\\\\\* If this feature requires changing permissions, update the permissions document. See https://docs.gitlab.com/ee/user/permissions.html --> ### Availability & Testing <!-- This section needs to be retained and filled in during the workflow planning breakdown phase of this feature proposal, if not earlier. What risks does this change pose to our availability? How might it affect the quality of the product? What additional test coverage or changes to tests will be needed? Will it require cross-browser testing? Please list the test areas (unit, integration and end-to-end) that needs to be added or updated to ensure that this feature will work as intended. Please use the list below as guidance. \\\\\\\* Unit test changes \\\\\\\* Integration test changes \\\\\\\* End-to-end test change See the test engineering planning process and reach out to your counterpart Software Engineer in Test for assistance: https://about.gitlab.com/handbook/engineering/quality/test-engineering/#test-planning --> ### What does success look like, and how can we measure that? <!-- Define both the success metrics and acceptance criteria. Note that success metrics indicate the desired business outcomes, while acceptance criteria indicate when the solution is working correctly. If there is no way to measure success, link to an issue that will implement a way to measure this. --> ### What is the type of buyer? <!-- What is the buyer persona for this feature? See https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/buyer-persona/ In which enterprise tier should this feature go? See https://about.gitlab.com/handbook/product/pricing/#four-tiers --> ~"GitLab Ultimate" ### Is this a cross-stage feature? <!-- Communicate if this change will affect multiple Stage Groups or product areas. We recommend always start with the assumption that a feature request will have an impact into another Group. Loop in the most relevant PM and Product Designer from that Group to provide strategic support to help align the Group's broader plan and vision, as well as to avoid UX and technical debt. https://about.gitlab.com/handbook/product/#cross-stage-features --> ### Links / references <!-- Label reminders - you should have one of each of the following labels if you can figure out the correct ones --> ### Release schedule plan We want to deliver this feature in 2 phases: * **Phase 1 (MVC)**: We are delivering current functionality of `License-Check` with new type of Scan Result Policy. Users will have same capabilities as they have in `License-Check` feature, although they will be able to use Security Policy Project to share this policy across other projects and group. In this phase we will not introduce any improvements to `License-Check` yet, it is about having additional way to configure this in GitLab. We are planning to release this phase in %15.9. * **Phase 2:** After Phase 1, we want to focus on improvements to this feature (like https://gitlab.com/gitlab-org/gitlab/-/issues/388630, https://gitlab.com/gitlab-org/gitlab/-/issues/385608, https://gitlab.com/gitlab-org/gitlab/-/issues/385606). This means in this phase we will deliver improvements to the MR Widget, logic for matching licenses, etc. We are planning to deliver these improvements and fixes in %15.11 / %16.0. Once both phases are finished, this Epic will be closed. <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> _This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc._ <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->
epic