Skip to content

Sync scan_result_policy_violations for license_scanning rules

Martin Čavoj requested to merge 417598-sync-license-violations into master

What does this MR do and why?

In order to utilize the new table scan_result_policy_violations for the bot comment, we need to sync the violations not only for scan_finding, any_merge_request rules, but also for license_scanning.

More context can be found in this discussion.

This MR adds a sync for these violations so that the violation records will get removed in case there are no license policy violations.

How to set up and validate locally

  1. The sync of violations is tied to scan_result_any_merge_request feature flag, it will need to be enabled in order for the violations to get populated in the DB.
    Feature.enable(:scan_result_any_merge_request)
  2. Packages will have to synced for the licenses to identify correctly: Guide. Alternatively, the dependency scanning artifacts can be "faked" via .gitlab-ci.yml.
  3. Go to Secure -> Policies and create a new policy for licenses. Sample YAML:
    type: scan_result_policy
    name: Licenses
    description: ''
    enabled: true
    rules:
      - type: license_finding
        match_on_inclusion: true
        license_types:
          - BSD 3-Clause "New" or "Revised" License
        license_states:
          - newly_detected
        branch_type: protected
    actions:
      - type: require_approval
        approvals_required: 1
        user_approvers_ids:
          - 1
  4. Create MR which violates the policy, for example by adding a file requirements.txt:
    pytest
  5. Observe the row in scan_result_policy_violations table for this merge request
  6. Update the MR to not violate the policy, for example by changing the package to pluggy (MIT license)
  7. The row in scan_result_policy_violations table should be removed

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #417598 (closed)

Edited by Martin Čavoj

Merge request reports

Loading