Skip to content

Improve license matching when evaluating policies

What does this MR do and why?

This MR improves license matching when evaluating policies. See #438584 (closed) for more context.

If a policy is created using spdx_identifier, SoftwareLicense is created using the spdx_identifier in the name:

#<SoftwareLicense:0x0000000173c1a510 id: 415, name: "MIT", spdx_identifier: nil>

In the report, we detect MIT, MIT License and when we compare for match_on_inclusion: false, we find MIT License as something not mentioned in the policy and we require approval.

This fix takes the licenses listed in the policies and cross-checks them with the licenses from the report. If we find MIT in the report, we also take MIT License from it into the comparison.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Create a project
  2. Create .gitlab-ci.yml
    include:
      - template: Jobs/Dependency-Scanning.gitlab-ci.yml
    
    job:
      script: echo 'test'
  3. Create requirements.txt file with testpy in it
  4. Create a policy:
    type: approval_policy
    name: Test
    description: ''
    enabled: true
    rules:
      - type: license_finding
        match_on_inclusion: false
        license_types:
          - MIT
        license_states:
          - newly_detected
          - detected
        branch_type: protected
    actions:
      - type: require_approval
        approvals_required: 1
        role_approvers:
          - developer
  5. Update README.md in MR
  6. Verify that approvals are not required
  7. Add django into requirements.txt
  8. Verify that approvals become required after the pipeline finishes

Related to #438584 (closed)

Edited by Martin Čavoj

Merge request reports

Loading