Skip to content

Backfill SPDX identifiers in software_licenses table

mo khan requested to merge 13083-normalise-license-names into master

What does this MR do?

This MR adds the spdx_identifier to the software_licenses table. The spdx_identifier originates from the SPDX database. By storing the spdx_identifer we can improve how we detect software license violations. SPDX is an open standard for communicating software bill of material information including license names and identifiers.

Today we perform a case insensitive match against the name of the license. This has proved to not be dependable because a software license can have multiple names. V2 of the license management report has been released and includes the SPDX identifier for each detected license. This MR benefits us because we can now work towards performing a diff based on a license identifier which is not likely to change rather than a name, which is likely to be inconsistent as demonstrated here.

This MR also seeds the software_licenses table with all licenses described in the SPDX index. This provides an opportunity for our customers to classify any license before detection rather than depending on user entered license names to provide that information.

Screenshots

Does this MR meet the acceptance criteria?

Conformity

Performance and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • [-] Label as security and @ mention @gitlab-com/gl-security/appsec
  • [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • [-] Security reports checked/validated by a reviewer from the AppSec team

#13083 (closed)

Edited by 🤖 GitLab Bot 🤖

Merge request reports

Loading