Draft: Ingest component licenses from CycloneDX SBOMs
What does this MR do and why?
Ingest component licenses from CycloneDX SBOMs
Related to #370013 (closed), #415935 (closed), and #441078 (closed)
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Custom License on Dependency List
Custom License on pipeline page
Blocked MR
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
- Enable the
custom_software_licensefeature flag on the rails console
Feature.enable(:custom_software_license)- Create a new project
- Go to Secure > Policies
- Click in New policy
- Select Merge request approval policy
- Create a policy like:
Something like:
type: approval_policy
name: test custom license
description: ''
enabled: true
rules:
- type: license_finding
match_on_inclusion_license: true
license_types:
- Custom-License
license_states:
- detected
branch_type: protected
actions:
- type: require_approval
approvals_required: 1
role_approvers:
- developer
- type: send_bot_message
enabled: true
approval_settings:
block_branch_modification: false
prevent_pushing_and_force_pushing: false
prevent_approval_by_author: false
prevent_approval_by_commit_author: false
remove_approvals_with_new_commit: false
require_password_to_approve: false
fallback_behavior:
fail: closed- Check if the new license was saved in the
custom_software_licensetable
Security::CustomSoftwareLicense.last#<Security::CustomSoftwareLicense:0x000000016269d300 id: 15, project_id: 986, name: "Custom-License">- Check the last
SoftwareLicensePolicyrecords
SoftwareLicensePolicy.lastIt should be linked to the new custom_software_license
=> [#<SoftwareLicensePolicy:0x000000017a4947a8
id: 38018,
project_id: 986,
software_license_id: nil,
classification: "denied",
created_at: Tue, 06 Aug 2024 12:18:23.735237000 UTC +00:00,
updated_at: Tue, 06 Aug 2024 12:18:23.735237000 UTC +00:00,
scan_result_policy_id: 729,
custom_software_license_id: 15,
approval_policy_rule_id: nil>]- Add a
.gitlab-ci.ymlwith the content
include:
- template: Jobs/Dependency-Scanning.gitlab-ci.yml
gemnasium-dependency_scanning:
stage: test
script: 'pwd'
artifacts:
reports:
cyclonedx: gl-sbom-gem-bundler.cdx.json- Add an empty Gemfile.lock file
- Add a file called
gl-sbom-gem-bundler.cdx.jsonwith the content
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:a15e529c-2113-4a11-a694-6bc3ea4e2b53",
"version": 1,
"metadata": {
"timestamp": "2022-02-23T08:02:39Z",
"tools": [
{
"vendor": "GitLab",
"name": "Gemnasium",
"version": "2.34.0"
}
],
"authors": [
{
"name": "GitLab",
"email": "support@gitlab.com"
}
],
"properties": [
{
"name": "gitlab:dependency_scanning:input_file:path",
"value": "Gemfile.lock"
},
{
"name": "gitlab:dependency_scanning:package_manager:name",
"value": "bundler"
},
{
"name": "gitlab:meta:schema_version",
"value": "1"
}
]
},
"components": [
{
"name": "sidekiq",
"version": "4.2.10",
"purl": "pkg:gem/sidekiq@4.2.10",
"type": "library",
"bom-ref": "pkg:gem/sidekiq@4.2.10",
"licenses": [
{
"license": {
"name": "Custom-License"
}
}
]
}
]
}-
Run a pipeline
-
Verify the new license in the licenses tab
-
Click in Manage Licenses and verify the dependency has the new License
-
Create a new merge request 16 Verify the MR is blocked and required approval for the policy
Edited by Marcos Rocha