Remove support for License Compliance CI Template
Problem to solve
The License Scanning implementation based on the license-finder image should no longer be used.
Proposal
Release a new version of the license-finder
image that fails, and update the CI template to use that version. This allows users to restore the old behavior if needed.
However, license-finder is no longer supported.
Testing
We keep the existing tests for the CI template, to ensure that the old behavior is still supported when LICENSE_MANAGEMENT_VERSION
is set to 4
.
Documentation
Instructions to restore the old behavior are not documented in GitLab docs. However, they're shared in the error message that shows up when the analyzer fails.
Error Message
The legacy License Compliance analyzer was deprecated in GitLab 15.9 and removed in GitLab 16.3. Bugs and vulnerabilities in this legacy analyzer will no longer be fixed, and this error message can be resolved by removing Jobs/License-Scanning.gitlab-ci.yml from your CI configuration.
Detection of software dependency licenses is now enabled by including Dependency Scanning as part of your project’s CI configuration. However, the legacy License Compliance analyzer may still be used by updating the LICENSE_MANAGEMENT_VERSION variable to 4 in your CI configuration. Please see https://docs.gitlab.com/ee/user/compliance/license_scanning_of_cyclonedx_files for more information.
Implementation plan
-
Release a new version of license-finder that fails and shows upgrade instructions. -
Update the CI template to use that version.
Verification steps
On a project supported by license-finder
, and that includes the License Scanning CI template,
- Set
LICENSE_MANAGEMENT_VERSION
to4
.-
The scanning job is successful. -
It generates the expected License Scanning artifact.
-
- Leave
LICENSE_MANAGEMENT_VERSION
unset.-
The scanning job fails. -
It shows the expected error message.
-
Earlier proposal
The previous proposal was to change the script
of the License Scanning job to make it fail. However, this wouldn't allow users to restore the old behavior.
Previous proposal and implementation plan
Proposal
Change the License Scanning job so that:
-
It's skipped.#387558 (comment 1364767489) - It shows a message about the removal, and fail.
The latter is needed in case the job is executed b/c the rules
are overridden.
See #387558 (comment 1245663626)
license_scanning
is allowed to fail, so exit 1
won't stop the pipeline. However, the job will show up with a warning sign.
We change as little as possible so that CI configuration that include the License Scanning CI template and override the license_scanning
job don't break.
- The CI template isn't removed.
- The
variables
,image
, andstage
don't change.
Testing
The specs for the License Scanning CI templates (default and "latest") are removed.
Projects that override the license_scanning
job should still have a valid CI config after implementing the changes proposed in this issue. This needs to be tested.
SET should update the E2E specs, for example update the CI file used in testing https://gitlab.com/gitlab-org/gitlab/-/blob/master/qa/qa/ee/fixtures/secure_license_files/.gitlab-ci.yml
Implementation plan
-
Check that the CI config of the gitlab
project is still valid after implementing the changes described in the proposal. See https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/ci/reports.gitlab-ci.yml#L6 -
Update License Scanning CI template and remove its specs. -
Update License Scanning "latest" template and remove its specs.
The CI templates are updated so that the license_scanning
job is skipped by default, and so that it fails otherwise.
-
Set the#387558 (comment 1364767489)rules
towhen: never
. - Set
script
to show a warning, and fail.