Update license scanning widget with license approval policies
What does this MR do and why?
Addresses #385608 (closed)
This change updates the license compliance MR widget and pipeline license tab to consider license approval policies based on these conditions:
- Licenses should be marked as
Denied
if any one of the policies (either License Approval orlicense-check
does not allow that license). - Licenses should be marked as
Approved
only if both of the following conditions are met: - All other licenses should be marked as
Uncategorized
only if they do not meet the criteria for eitherApproved
orDenied
If a license policy has except
clause for a license type, it means that any license that is not of given type would require approval. It also sets match_on_inclusion
to false in DB (scan_result_policies
table).
Database Queries
SELECT
1 AS one
FROM
"software_license_policies"
INNER JOIN
"scan_result_policies" "scan_result_policy_read"
ON "scan_result_policy_read"."id" = "software_license_policies"."scan_result_policy_id"
LEFT OUTER JOIN
"software_licenses"
ON "software_licenses"."id" = "software_license_policies"."software_license_id"
WHERE
"software_license_policies"."project_id" = 43774395
AND "scan_result_policy_read"."match_on_inclusion" = FALSE LIMIT 1
Plan: console.postgre.ai
Limit (cost=1.85..6.14 rows=1 width=4) (actual time=3.845..3.848 rows=1 loops=1)
Buffers: shared hit=5 read=3 dirtied=1
I/O Timings: read=2.603 write=0.000
-> Hash Join (cost=1.85..6.14 rows=1 width=4) (actual time=3.843..3.845 rows=1 loops=1)
Hash Cond: (scan_result_policy_read.id = software_license_policies.scan_result_policy_id)
Buffers: shared hit=5 read=3 dirtied=1
I/O Timings: read=2.603 write=0.000
-> Seq Scan on public.scan_result_policies scan_result_policy_read (cost=0.00..4.23 rows=11 width=8) (actual time=1.099..1.105 rows=9 loops=1)
Filter: (NOT scan_result_policy_read.match_on_inclusion)
Rows Removed by Filter: 9
Buffers: shared hit=1 dirtied=1
I/O Timings: read=0.000 write=0.000
-> Hash (cost=1.82..1.82 rows=2 width=12) (actual time=2.671..2.671 rows=4 loops=1)
Buckets: 1024 Batches: 1 Memory Usage: 9kB
Buffers: shared hit=1 read=3
I/O Timings: read=2.603 write=0.000
-> Index Only Scan using idx_software_license_policies_unique_on_project_and_scan_policy on public.software_license_policies (cost=0.29..1.82 rows=2 width=12) (actual time=2.655..2.658 rows=4 loops=1)
Index Cond: (software_license_policies.project_id = 43774395)
Heap Fetches: 4
Buffers: shared hit=1 read=3
I/O Timings: read=2.603 write=0.000
Time: 5.608 ms
- planning: 1.577 ms
- execution: 4.031 ms
- I/O read: 2.603 ms
- I/O write: 0.000 ms
Shared buffers:
- hits: 5 (~40.00 KiB) from the buffer pool
- reads: 3 (~24.00 KiB) from the OS file cache, including disk I/O
- dirtied: 1 (~8.00 KiB)
- writes: 0
Screenshots or screen recordings
There is a list of test-cases created for the epic in &8092 (comment 1278192815) and its status for approvals in #385606 (comment 1289749704). Those test cases are run against the changes in this MR.These are the MR widget and pipeline tab changes for those cases:
MR Widget (before) | MR Widget (after) | Pipeline tab (before) | Pipeline tab (after) |
---|---|---|---|
How to set up and validate locally
- Clone https://gitlab.com/gitlab-org/govern/demos/license-approval-policies-test-cases and enable
license_scanning_policies
feature flag for the project - Take policies from https://gitlab.com/gitlab-org/govern/demos/license-approval-policies/license-approval-policies-security-policy-project/-/blob/main/.gitlab/security-policies/policy.yml and Create Scan result policy from:
Security & Compliance
->Policies
->New scan result policy
->License Scan
. - Create MRs by updating the report.json in
.gitlab-ci.yml
and check the license compliance MR widget and license tab in pipeline view
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.