Show detected licenses with their URLs (License Scanning SBOM Scanner)
Summary
With the introduction of the License Scanning SBOM Scanner, the License Compliance
and Dependency List
no longer provide links to the detected licenses.
Screenshots
License Compliance
page:
New implementation | Old implementation |
---|---|
Dependency List
page:
New implementation | Old implementation |
---|---|
Source: #385173 (closed)
Further details
Before the introduction of the License Scanning SBOM Scanner, license URLs were extrated from License Scanning report artifacts.
See sample report
{
"version": "2.1",
"licenses": [
{
"id": "MIT",
"name": "MIT License",
"url": "https://opensource.org/licenses/MIT"
}
],
"dependencies": [
{
"name": "classpreloader/classpreloader",
"version": "3.2.0",
"package_manager": "composer",
"path": "composer.lock",
"licenses": [
"MIT"
]
}
]
}
Compared to this, the License Scanning SBOM Scanner only relies on the information stored in pm_licenses
; right now this table only provides SPDX identifiers of licenses.
CREATE TABLE pm_licenses (
id bigint NOT NULL,
spdx_identifier text NOT NULL,
CONSTRAINT check_c1eb81d1ba CHECK ((char_length(spdx_identifier) <= 50))
);
See #385173 (comment 1296169706)
Possible fixes
-
Add an
url
column to thepm_licenses
table, and syncpm_licenses
with the SPDX License List, just like theImportSoftwareLicensesWorker
worker syncs upsoftware_licenses
. -
Redirect to the license page on spdx.org using the SPDX identifier. For instance, https://spdx.org/licenses/0BSD.html is the page for
0BSD
.There are at least two ways these can be implemented:
- Update
LicenseScanning::SbomScanner
to add licenses with predefined URLs, when callingLicenseScanning::Report.add_license
. - Update
LicenseScanning::Report.add_license
to set theurl
to"https://spdx.org/licenses/#{id}.html
whenid
is set buturl
is empty.
- Update
Proposal
Redirect to the license page on spdx.org using the SPDX identifier. Update LicenseScanning::Report.add_license
to set the url
to "https://spdx.org/licenses/#{id}.html
when id
is set but url
is empty.
Implementation plan
-
Update LicenseScanning::Report.add_license
and its specs.
Verification steps
On a project when license_scanning_sbom_scanner
feature flag is enabled, and where a Dependency Scanning job has been executed successfully for the default branch:
-
Check that the License Compliance
provides links for detected licenses. -
Check that the Dependency List
provides links for detected licenses.