License Compliance widget shows all licenses as uncategorized
Summary
- The License Compliance MR widget shows all the detected licenses as uncategorized instead of categorized like the
Full report
Steps to reproduce
- Upload a GitLab Ultimate license
- Clone https://gitlab.com/gitlab-org/govern/security-policies/ali-test-group/411984-unknown-license-type
- Create a new
scan_result_policy
with the content
type: scan_result_policy
name: Newly detected unknown licenses
description: ''
enabled: true
rules:
- type: license_finding
match_on_inclusion: true
license_types:
- unknown
license_states:
- newly_detected
branch_type: default
actions:
- type: require_approval
approvals_required: 1
group_approvers_ids:
- 64024513
- Create changes similar to https://gitlab.com/gitlab-org/govern/security-policies/ali-test-group/411984-unknown-license-type/-/merge_requests/1/diffs and create the MR
Example Project
What is the current bug behavior?
The categorization of the licenses in the License Compliance MR widget do not match the categorization of the licenses in the Full report
What is the expected correct behavior?
The categorization of the licenses in the License Compliance MR widget do match the categorization of the licenses in the Full report
Relevant logs and/or screenshots
License Compliance MR Widget | Full Report |
---|---|
Possible fixes
-
Update Sca::LicenseCompliance
to check for denied software_license_policies from report indiff_with
:
diff --git a/ee/app/models/sca/license_compliance.rb b/ee/app/models/sca/license_compliance.rb
index 65384cb46a0e..3d74673a5bce 100644
--- a/ee/app/models/sca/license_compliance.rb
+++ b/ee/app/models/sca/license_compliance.rb
@@ -122,7 +122,7 @@ def build_policy_with_denied_licenses(denied_policies, reported_license)
denied_license_policy = policy_from_licenses(denied_policies, reported_license) unless direct_license_policy
- approval_status = denied_license_policy ? 'denied' : nil
+ approval_status = denied_license_policy || denied_policies.empty? ? 'denied' : nil
build_policy(reported_license, direct_license_policy || denied_license_policy, approval_status)
end
diff --git a/ee/spec/models/sca/license_compliance_spec.rb b/ee/spec/models/sca/license_compliance_spec.rb
index 889b2305be7c..9e65a14a54c4 100644
--- a/ee/spec/models/sca/license_compliance_spec.rb
+++ b/ee/spec/models/sca/license_compliance_spec.rb
@@ -942,6 +942,22 @@ def assert_matches(item, expected = {})
end
end
+ context 'when the base pipeline is empty or does not contain report' do
+ subject(:diff) { license_compliance.diff_with(base_compliance) }
+
+ let(:pipeline) { head_pipeline }
+
+ let!(:head_compliance) { project.license_compliance(head_pipeline) }
+ let!(:head_pipeline) { create(:ee_ci_pipeline, :success, project: project) }
+
+ let!(:base_compliance) { project.license_compliance(base_pipeline) }
+ let!(:base_pipeline) { create(:ee_ci_pipeline, :success, :with_cyclonedx_report, project: project, builds: [create(:ee_ci_build, :success)]) }
+
+ it 'returns diff' do
+ expect(diff[:added].first.classification).to eq('denied')
+ end
+ end
+
context "when the base pipeline removed some licenses" do
subject(:diff) { license_compliance.diff_with(base_compliance) }
Relates to #397067 (closed)
Relates to #356334 (closed)
Relates to #285120 (closed)
Edited by Marcos Rocha