Add dependency version to License Scanning
Problem to solve
As a developer, I would like to see the version # of a dependency in the license scan report, so that it's easier for me to understand why a dependency appears multiple times in a report.
In the version 2.0
license scan report we do not include a version # for a dependency. This causes confusion when scanning javascript projects. In a js project multiple versions of the same dependency can be identified. Without the version # it's hard to understand why a dependency is listed multiple times.
Intended users
Further details
v2.0 schema
{
"version": "2.0",
"licenses": [
{
"id": "ISC",
"name": "ISC License",
"url": "https://opensource.org/licenses/ISC",
"count": 2
},
],
"dependencies": [
{
"name": "semver",
"url": "Unknown",
"description": "",
"paths": [ "." ],
"licenses": [ "ISC" ]
},
{
"name": "semver",
"url": "Unknown",
"description": "",
"paths": [ "." ],
"licenses": [ "ISC" ]
}
]
}
Proposal
Proposed v2.1 schema
{
"version": "2.1",
"licenses": [
{
"id": "ISC",
"name": "ISC License",
"url": "https://opensource.org/licenses/ISC"
},
],
"dependencies": [
{
"name": "semver",
"version": "5.3.0",
"package_manager": "yarn",
"path": "yarn.lock",
"licenses": ["ISC"]
},
{
"name": "semver",
"version": "5.7.1",
"package_manager": "yarn",
"path": "yarn.lock",
"licenses": [ "ISC" ]
}
]
}
Permissions and Security
No new permissions or security changes required.
Documentation
We don't document the report schema today, but we could consider starting with this one.
Testing
The QA Test jobs will need to be updated to reflect this change.
What does success look like, and how can we measure that?
The addition of the version attribute to the raw scan report.
What is the type of buyer?
Any tier that currently has access to license scan reports.
Links / references
Related to https://gitlab.com/gitlab-org/security-products/license-management/merge_requests/84#note_251761590
Implementation Plan
Backend
-
Add the version
attribute to each dependency in the license scan report. -
Increment the report version from 2.x
to2.y