Add License information to the Dependency List based on current license rules
Problem to solve
The Bill Of Materials (BOM) lists all the dependencies in a project.
One of the relevant information people are interested in for this view is the license status for each dependency. In this way, they can easily check (and prove to Compliance) that the app doesn't contain any forbidden component.
We already have License Management results available. We should link this information in the BOM view.
Target audience
- Delaney, Development Team Lead
Proposal
Add a new column to the BOM with the license information for each given dependency, if available.
Each dependency will report its license. We can also add the status based on the license rules set for the project.
What data points are anchored? License name(s) anchor to url
, which contain license documentation. The url
is a data point we include in the MR license check section (see example: gitlab-examples/security/security-reports!15 (closed) - click the license name). In the case of the license name in the table: if the url
to documentation is available we link the license name directly to it. The license name is only linked if the url
documentation is available.
Permissions and Security
Permissions to see the licenses allow everyone to see that. Permissions to see license status should be consistent with permissions of the same information in the merge request widget.
Documentation
We need to document which information is available and explain the possible values.
We can also crosslink this from the License Management documentation.
What does success look like, and how can we measure that?
Number of page views for the BOM.