Use licenses of CycloneDX SBOMs in license scanner
Why are we doing this work
License Scanning should use the licenses
field of the CycloneDX JSON SBOM when available, and fall back to using license information imported from the external License DB.
Parsing and exposing the licenses
field is covered by Ingest component licenses from CycloneDX SBOMs (#370013).
This is built on top of the License Scanning SBOM Scanner introduced in &8072 (closed), and updated in &10415 (closed).
Relevant links
- Ingest component licenses from CycloneDX SBOMs (#370013)
- Replace license-finder MVC (&8072 - closed)
- Reduce package metadata table on-disk footprint (&10415 - closed)
- https://gitlab.com/gitlab-org/gitlab/-/blob/b69e89834f42489631166c475fd3c9fb2ad2b83e/ee/lib/gitlab/license_scanning/sbom_scanner.rb#L12-33
- https://gitlab.com/gitlab-org/gitlab/-/blob/b69e89834f42489631166c475fd3c9fb2ad2b83e/ee/lib/gitlab/license_scanning/pipeline_components.rb#L10-22
Non-functional requirements
-
Documentation: Document license scanning using licenses of Cyc... (#415945) -
Feature flag: license_scanning_with_sbom_licenses
-
Performance: Make sure that the impact on the time it takes to load License Scanning results is negligible. To be checked in the licenses
tab of the pipeline page and in the Dependency List page. -
Testing: Unit tests and E2E tests.
Implementation plan
- Update
Gitlab::LicenseScanning::PipelineComponents#fetch
so that it returns licenses of SBOM components in a newlicenses
attribute of theHashie::Mash
. - Update
Gitlab::LicenseScanning::SbomScanner#report
.- Add
components
withlicenses
directly to the::Gitlab::Ci::Reports::LicenseScanning::Report
. - Pass
components
that don't havelicenses
toPackageLicenses
, and getpackage_licenses
. - Add
package_licenses
to report (same as before).
- Add
Verification steps
Licenses from CycloneDX SBOM only (feature test)
- Set up a project with dependencies supported by a compatible CycloneDX JSON SBOM generator that provides
licenses
ofcomponents
. See https://cyclonedx.org/tool-center/ - Add CI config to run the SBOM generator, and upload the resulting SBOM.
- Check
licenses
tab of pipeline page. - Check licenses in Dependency List (DL) page.
Licenses from License DB (non-regression test)
- Set up a project with dependencies supported by Dependency Scanning (DS).
- Include DS CI template, and trigger a pipeline.
- Check
licenses
tab of pipeline page. - Check licenses in Dependency List (DL) page.
Licenses from CycloneDX SBOM and License DB (feature test)
- Set up a project with two sets of dependencies.
- Some dependencies are reported by DS, and License DB has license info for these.
- Some other dependencies are reported by the SBOM generator that provided the
licenses
. - The two sets don't overlap.
- Add CI config to enable both DS and the other SBOM generator.
- Check
licenses
tab of pipeline page and the DL page.- Licenses come from the
licenses
field of the CycloneDX SBOM when it's set. - Otherwise licenses come from the package metadata tables (imported from License DB).
- Licenses come from the
Edited by Fabien Catteau