Backfill SPDX identifiers in software_licenses table
What does this MR do?
This MR adds the spdx_identifier
to the software_licenses
table. The spdx_identifier
originates from the SPDX database. By storing the spdx_identifer
we can improve how we detect software license violations. SPDX is an open standard for communicating software bill of material information including license names and identifiers.
Today we perform a case insensitive match against the name of the license. This has proved to not be dependable because a software license can have multiple names. V2 of the license management report has been released and includes the SPDX
identifier for each detected license. This MR benefits us because we can now work towards performing a diff based on a license identifier which is not likely to change rather than a name, which is likely to be inconsistent as demonstrated here.
This MR also seeds the software_licenses
table with all licenses described in the SPDX index. This provides an opportunity for our customers to classify any license before detection rather than depending on user entered license names to provide that information.
Screenshots
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry - [-] Documentation created/updated or follow-up review issue created
-
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Performance and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. - [-] Tested in all supported browsers
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
- [-] Label as security and @ mention
@gitlab-com/gl-security/appsec
- [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
- [-] Security reports checked/validated by a reviewer from the AppSec team