Use license scanning scanner when refreshing approvals
What does this MR do and why?
What
This MR refactors the approval merge request rule so that it utilizes a concrete class of ::Gitlab::LicenseScanning::BaseScanner instead of directly looking for license scanning reports in a pipeline. The report is fetched using the scanners report method instead of a referencing the pipelines license scanning report method.
Why
The change to this interface allows us to switch the implementation details without impacting the results expected. Specifically, groupcomposition analysis is in the process of replacing license-finder so that it is not reliant on pipeline artifacts, and instead can aggregate dependency/license data at the group and project level.
Additional info
-
Create an abstract class that will be used as an interface for license scanning -
Update the sites that reference license scanning reports to use new interface -
License Compliance Page. See !105533 (merged) -
License Compliance MR Widget. See !107146 (merged) -
Licenses Tab in Pipeline Page. See #378087 (closed) -
Dependency List Page. See !105678 (merged) -
Refresh license approvals. You are here 👈
-
-
Add feature flag so that interface switches implementation to SBoM based scanner. See &9400 (closed)
Closes #377420 (closed)
Screenshots or screen recordings
Video showing the merge request widget showing the approvals required in MR widget
How to set up and validate locally
- Create a project with license scanning enabled if one does not already exist.
- Open an MR and approve the changes.
- Create and push a commit to the MR that adds a license and verify that it refreshed the approvals.
- Add a new license policy that accepts the license and verify that the approvals have refreshed.
- Re-approve the merge request.
- Update the recently created license policy so that it denies the license and verify that the approvals have refreshed.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.