Improve license matching when evaluating policies
What does this MR do and why?
This MR improves license matching when evaluating policies. See #438584 (closed) for more context.
If a policy is created using spdx_identifier
, SoftwareLicense
is created using the spdx_identifier
in the name
:
#<SoftwareLicense:0x0000000173c1a510 id: 415, name: "MIT", spdx_identifier: nil>
In the report, we detect MIT, MIT License
and when we compare for match_on_inclusion: false
, we find MIT License
as something not mentioned in the policy and we require approval.
This fix takes the licenses listed in the policies and cross-checks them with the licenses from the report. If we find MIT
in the report, we also take MIT License
from it into the comparison.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Create a project
- Create
.gitlab-ci.yml
include: - template: Jobs/Dependency-Scanning.gitlab-ci.yml job: script: echo 'test'
- Create
requirements.txt
file withtestpy
in it - Create a policy:
type: approval_policy name: Test description: '' enabled: true rules: - type: license_finding match_on_inclusion: false license_types: - MIT license_states: - newly_detected - detected branch_type: protected actions: - type: require_approval approvals_required: 1 role_approvers: - developer
- Update README.md in MR
- Verify that approvals are not required
- Add
django
intorequirements.txt
- Verify that approvals become required after the pipeline finishes
Related to #438584 (closed)