Enhance license dependency equality (!115402) · Merge requests · GitLab.org / GitLab

Philip Cunningham requested to merge philipcunningham-enhance-dependency-equality-390027 into master Mar 21, 2023

What does this MR do and why?

whilst working on Implement License Scanning SBOM scanner, we discovered that the backend cannot accurately track licenses of project dependencies that share the same package name but have different package types, or different package versions. this merge request extends #eql? and #hash to allow for these cases to be handled.

#390027 (closed)

Screenshots or screen recordings

before and after

Before

After

How to set up and validate locally

create a gl-license-scanning-report.json file with the following contents:

{
  "version": "2.1",
  "licenses": [
    {
      "id": "MIT",
      "name": "MIT License",
      "url": "https://opensource.org/licenses/MIT"
    }
  ],
  "dependencies": [
    {
      "name": "yargs-parser",
      "version": "1.2.3",
      "package_manager": "bundler",
      "path": "Gemfile.lock",
      "licenses": [
        "MIT"
      ]
    }
  ]
}

create another file named gl-license-scanning-report-2.json file with the following contents:

{
  "version": "2.1",
  "licenses": [
    {
      "id": "MIT",
      "name": "MIT License",
      "url": "https://opensource.org/licenses/MIT"
    }
  ],
  "dependencies": [
    {
      "name": "another-package",
      "version": "2.3.4",
      "package_manager": "npm",
      "path": "package.lock",
      "licenses": [
        "MIT"
      ]
    }
  ]
}

create a .gitlab-ci.yml with two jobs which reference the above two license scanning reports:

job 1:
  script:
    - echo "test"
  artifacts:
    reports:
      license_scanning:
        - gl-license-scanning-report.json

job 2:
  script:
    - echo "test"
  artifacts:
    reports:
      license_scanning:
        - gl-license-scanning-report-2.json

commit all the above files and wait for the pipeline to finish.
go to Security and Compliance > License scanning.
notice that both packages another-package (2.3.4) and yargs-parser (1.2.3) show up in the license list:

update the gl-license-scanning-report-2.json file that you created in step 2. above and change "name": "another-package" to "name": "yargs-parser", to introduce a collision with the instance of "name": "yargs-parser" in gl-license-scanning-report.json:

{
  "version": "2.1",
  "licenses": [
    {
      "id": "MIT",
      "name": "MIT License",
      "url": "https://opensource.org/licenses/MIT"
    }
  ],
  "dependencies": [
    {
      "name": "yargs-parser",
      "version": "2.3.4",
      "package_manager": "npm",
      "path": "package.lock",
      "licenses": [
        "MIT"
      ]
    }
  ]
}

commit the above change and wait for the pipeline to finish.
go to Security and Compliance > License scanning.
notice that both instances of yargs-parser now shows up in the license compliance list.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Mar 23, 2023 by Philip Cunningham

Enhance license dependency equality