Skip to content

Fix license approval policy for pre-existing license_state

Sashi Kumar Kumaresan requested to merge sk/442045-refactor-license-approval-policies into master

What does this MR do and why?

This MR addresses 2 items:

  • Fixes MR approval policies (license_finding type) to enforce approval correctly for pre-existing license states (#442045 (closed))
  • Add's comparison pipelines information to policy violation bot comment for license_finding rules
  • Refactors Security::SyncLicenseScanningRulesService to break into granular classes (#454415 (closed)):
    • Security::ScanResultPolicies::UpdateLicenseApprovalsService
    • Security::ScanResultPolicies::LicenseViolationChecker

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Bot comment for previously existing states

Screenshot_2024-05-04_at_1.10.06_AM

Bot comment for newly introduced states

Screenshot_2024-05-03_at_11.52.18_PM

How to set up and validate locally

  1. Make sure to sync licenses and package metadata by following : https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/license_compliance.md
  2. Create a project and add dependency scanning to gitlab-ci.yml
include:
  - template: Jobs/Dependency-Scanning.gitlab-ci.yml

build-job:
  script:
    - echo "Building"
  1. Add a Gemfile.lock with some dependencies (MIT license)
GEM
  remote: https://rubygems.org/
  specs:
    diff-lcs (1.5.1)
    rspec (3.13.0)
      rspec-core (~> 3.13.0)
      rspec-expectations (~> 3.13.0)
      rspec-mocks (~> 3.13.0)
    rspec-core (3.13.0)
      rspec-support (~> 3.13.0)
    rspec-expectations (3.13.0)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
    rspec-mocks (3.13.0)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
    rspec-support (3.13.1)

PLATFORMS
  arm64-darwin-21

DEPENDENCIES
  rspec (~> 3.13)

BUNDLED WITH
   2.4.13
  1. Go to Secure -> Policies and create a new policy:
type: approval_policy
name: Pre-Existing License Policy
description: ''
enabled: true
rules:
  - type: license_finding
    match_on_inclusion_license: true
    license_types:
      - MIT License
    license_states:
      - detected
    branch_type: protected
actions:
  - type: require_approval
    approvals_required: 1
    role_approvers:
      - developer
  1. Create an MR that updates README and verify that the MR requires approval and bot comment is added

Addresses #442045 (closed)

Edited by Sashi Kumar Kumaresan

Merge request reports