Use License Scanning Service in License Compliance page
Why are we doing this work
The backend needs to be changed so that the License Compliance page uses the License Scanning Service.
Further details
License Compliance page is handled by LicensesController#index
which uses SCA::LicenseCompliance
, and Pipeline#license_scanning_report
.
The other controller actions are used to create and update license policies, and they don't need to be updated.
✅
Proposal 1 Change Pipeline#license_scanning_report
so that it gets a Ci::Reports::LicenseScanning::Report
using the LicenseScanningService
. The LicenseScanningService
is initialized with the pipeline and its project.
Also, change Project#license_compliance
so that it no longer relies on latest_pipeline_with_reports
to get the default value for its argument. Instead, make LicenseScanningService
responsible for finding the latest pipeline that provides the data it needs.
❌
Proposal 2 Update LicenseCompliance#license_scanning_report
so that it gets a Ci::Reports::LicenseScanning::Report
using the LicenseScanning::ExportReportService
class.
- Create an
ExportReportService
class insideee/app/services/license_scanning/export_report_service.rb
. TheExportReportService
is initialized with the pipeline and its project. - Update
SCA::LicenseCompliance#license_scanning_report
so that it fetches the report usingLicenseScanning::ExportService#execute
.
Relevant links
Technical evaluation: #377688 (comment 1133318031)
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
Implementation plan
- Update the
Pipeline#license_scanning_report
method so that it returns aCi::Reports::LicenseScanning::Report
using the::Gitlab::LicenseScanning::ArtifactScanner
class.- This will require a public method on the class -
#report
that will fetch the report.
- This will require a public method on the class -
- Change
Project#license_compliance
so that it no longer relies onlatest_pipeline_with_reports
to get the default value for its argument. Make the::Gitlab::LicenseScanning::BaseScanner
interface responsible for finding the latest pipeline that provides the data it needs. This method should be named in a manner that omitsreports
e.g.#latest_pipeline
.- The name purposefully omits
reports
so that the data source is abstracted away since the data can come from either SBoM components licenses or an artifact. - Using a method within the
::Gitlab::LicenseScanning::BaseScanner
interface gives the advantage of having the feature flag logic within one area.
- The name purposefully omits
Verification steps
SET to review existing E2E tests, update if required to functionally test, being mindful of shifting left if covered by lower level testing.