Match and display policies to licenses that are already detected in a project
Problem to solve
Problem: there is no clear way to tell if licenses detected in the project are in compliance with the policies defined.
Context: this issue is based on discovery work done in https://gitlab.com/gitlab-org/gitlab-ee/issues/12941 and is a follow up to #14061 (closed). Users can see licenses in a project (per scanning) and policies (per admin classifying license) separately, but not how they relate to each other. For example, in the policies section, a user may see that an LPL 1.2 license is denied, but if that same license is detected in a project, the user wouldn't know it's denied unless matching the lists (detected/policy) manually.
Intended users
- Delaney (Development Team Lead)
- Sasha (Software Developer)
- Sam (Security Analyst)\
- Legal and/or person responsible for orgs compliance
Further details
Job's to be done
- User that is responsible for compliance: When my organization has policies with licenses, I want to be aware of my companies policies, so I can make sure my project licenses are in compliance with my orgs compliance.
- User that is accountable for compliance: When I need to enforce our organization's licenses restrictions, I want to be able to view them and define policies, so that I can ensure a project's compliance.
Proposal ideation
If policies have been created for a project, match them if/when to license that exist in a project. Display the matching license classification policies in the "detected in project" list.
Iteration iv: UX ready for development
iteration iii
- Likes version ii, surfacing licenses to the top
- Banner is helpful; but update copy to present tense
- Consider version iii later
iteration ii
Iteration ii feedback from UX team review and SCA team review:
- Consider creating additional columns for the violation
- Better display why a license is being surfaced
- Explore using the blue and/or green value for the background
- There may be labels with text and icon in the library to use for
policy violation
- Let’s look at how to identify where/when this was found to show later. Related: audit log or maybe can leverage
git-blame
. - Need to solve the problem of finding the particular dependency correlated with MR
- Ideally we’d have the info for all the dependencies name/version and would know the MR where it has been introduced
old iteration: scoped down
Developer UI (design updated in progress) |
---|
Developer UI | Maintainer UI |
---|---|
- due to de-prioritization de-scoped, removed user ability to add policy to existing license
Permissions and Security
- Developers view may view policies, but can't adjust them
- Public projects policy section is not visible to non-project participants (#33659 (closed))
Documentation
..
Testing
ToDo
What does success look like, and how can we measure that?
- Developer lands on the page and can determine if there are denied licenses that exists in the project
What is the type of buyer?
Ultimate
Links / references
Implementation Plan
Backend
-
Combine licenses from the latest scan report with the policies configured for the project. -
Serve the combined licenses from the /projects/-/licenses.json
endpoint. -
Add order_by
filter to sort byclassification
. #213592 (closed)