Commit bb2f3475 authored by mo khan's avatar mo khan

Upgrade to `license_scanning` report v2.1

* https://gitlab.com/gitlab-org/gitlab/-/issues/37719
parent 67844a61
---
title: Upgrade to `license_scanning` report v2.1
merge_request: 34224
author:
type: added
......@@ -91,7 +91,7 @@ RSpec.describe Projects::LicensesController do
let_it_be(:mit_policy) { create(:software_license_policy, :denied, software_license: mit, project: project) }
let_it_be(:other_license) { create(:software_license, spdx_identifier: "Other-Id") }
let_it_be(:other_license_policy) { create(:software_license_policy, :allowed, software_license: other_license, project: project) }
let_it_be(:pipeline) { create(:ee_ci_pipeline, project: project, builds: [create(:ee_ci_build, :license_scan_v2, :success)]) }
let_it_be(:pipeline) { create(:ee_ci_pipeline, project: project, builds: [create(:ee_ci_build, :license_scan_v2_1, :success)]) }
context "when loading all policies" do
before do
......@@ -116,7 +116,7 @@ RSpec.describe Projects::LicensesController do
"id" => nil,
"spdx_identifier" => "BSD-3-Clause",
"name" => "BSD 3-Clause \"New\" or \"Revised\" License",
"url" => "http://spdx.org/licenses/BSD-3-Clause.json",
"url" => "https://opensource.org/licenses/BSD-3-Clause",
"classification" => "unclassified"
})
end
......@@ -126,7 +126,7 @@ RSpec.describe Projects::LicensesController do
"id" => mit_policy.id,
"spdx_identifier" => "MIT",
"name" => mit.name,
"url" => "http://spdx.org/licenses/MIT.json",
"url" => "https://opensource.org/licenses/MIT",
"classification" => "denied"
})
end
......
......@@ -114,7 +114,7 @@ FactoryBot.define do
end
end
%w[1 1_1 2].each do |version|
%w[1 1_1 2 2_1].each do |version|
trait :"license_scan_v#{version}" do
after :build do |build|
build.job_artifacts << build(:ee_ci_job_artifact, :license_scan, :"v#{version}", job: build)
......
......@@ -316,7 +316,7 @@ FactoryBot.define do
file_format { :raw }
end
%w[1 1_1 2].each do |version|
%w[1 1_1 2 2_1].each do |version|
trait :"v#{version}" do
after(:build) do |artifact, _|
filename = "gl-#{artifact.file_type.dasherize}-report-v#{version.sub(/_/, '.')}.json"
......
{
"version": "2.1",
"licenses": [
{
"id": "BSD-3-Clause",
"name": "BSD 3-Clause \"New\" or \"Revised\" License",
"url": "https://opensource.org/licenses/BSD-3-Clause"
},
{
"id": "MIT",
"name": "MIT License",
"url": "https://opensource.org/licenses/MIT"
},
{
"id": "unknown",
"name": "unknown",
"url": ""
}
],
"dependencies": [
{
"name": "a",
"version": "1.0.0",
"package_manager": "bundler",
"path": "Gemfile.lock",
"licenses": ["MIT"]
},
{
"name": "b",
"version": "0.1.0",
"package_manager": "yarn",
"path": "yarn.lock",
"licenses": ["BSD-3-Clause"]
},
{
"name": "c",
"version": "1.1.0",
"package_manager": "bundler",
"path": "Gemfile.lock",
"licenses": ["MIT", "BSD-3-Clause"]
},
{
"name": "d",
"version": "1.1.1",
"package_manager": "bundler",
"path": "Gemfile.lock",
"licenses": ["unknown"]
}
]
}
......@@ -74,10 +74,10 @@ RSpec.describe Gitlab::Ci::Parsers::LicenseCompliance::LicenseScanning do
end
context 'when parsing a valid v2 report' do
let(:v2_data) { fixture_file('security_reports/gl-license-scanning-report-v2.json', dir: 'ee') }
let(:v2_0_data) { fixture_file('security_reports/gl-license-scanning-report-v2.json', dir: 'ee') }
before do
subject.parse!(v2_data, report)
subject.parse!(v2_0_data, report)
end
it { expect(report.version).to eql('2.0') }
......@@ -105,6 +105,44 @@ RSpec.describe Gitlab::Ci::Parsers::LicenseCompliance::LicenseScanning do
it { expect(report.licenses[2].dependencies.map(&:name)).to contain_exactly('d') }
end
context 'when parsing a valid v2.1 report' do
let(:v2_1_data) { fixture_file('security_reports/gl-license-scanning-report-v2.1.json', dir: 'ee') }
before do
subject.parse!(v2_1_data, report)
end
it { expect(report.version).to eql('2.1') }
it { expect(report.licenses.count).to eq(3) }
it 'parses the BSD license' do
expect(report.licenses[0].id).to eql('BSD-3-Clause')
expect(report.licenses[0].name).to eql('BSD 3-Clause "New" or "Revised" License')
expect(report.licenses[0].url).to eql('https://opensource.org/licenses/BSD-3-Clause')
expect(report.licenses[0].count).to be(2)
expect(report.licenses[0].dependencies.count).to be(2)
expect(report.licenses[0].dependencies.map(&:name)).to contain_exactly('b', 'c')
end
it 'parses the MIT license' do
expect(report.licenses[1].id).to eql('MIT')
expect(report.licenses[1].name).to eql('MIT License')
expect(report.licenses[1].url).to eql('https://opensource.org/licenses/MIT')
expect(report.licenses[1].count).to be(2)
expect(report.licenses[1].dependencies.count).to be(2)
expect(report.licenses[1].dependencies.map(&:name)).to contain_exactly('a', 'c')
end
it 'parses an unknown license' do
expect(report.licenses[2].id).to be_nil
expect(report.licenses[2].name).to eql('unknown')
expect(report.licenses[2].url).to eql('')
expect(report.licenses[2].count).to be(1)
expect(report.licenses[2].dependencies.count).to be(1)
expect(report.licenses[2].dependencies.map(&:name)).to contain_exactly('d')
end
end
context 'when parsing a v2 report with a missing license definition' do
let(:v2_data) do
{
......
......@@ -57,7 +57,7 @@ RSpec.describe SCA::LicenseCompliance do
context "when the dependency scan produces a poorly formatted report" do
let(:builds) do
[
create(:ee_ci_build, :success, :license_scan_v2),
create(:ee_ci_build, :success, :license_scan_v2_1),
create(:ee_ci_build, :success, :corrupted_dependency_scanning_report)
]
end
......@@ -107,6 +107,48 @@ RSpec.describe SCA::LicenseCompliance do
end
end
context "when a pipeline has successfully produced a v2.1 license scan report" do
let(:builds) { [create(:ee_ci_build, :success, :license_scan_v2_1)] }
let!(:mit_policy) { create(:software_license_policy, :denied, software_license: mit, project: project) }
let!(:other_license_policy) { create(:software_license_policy, :allowed, software_license: other_license, project: project) }
it "includes a policy for each detected license and classified license" do
expect(subject.policies.count).to eq(4)
end
it 'includes a policy for a detected license that is unclassified' do
expect(subject.policies[0].id).to be_nil
expect(subject.policies[0].name).to eq("BSD 3-Clause \"New\" or \"Revised\" License")
expect(subject.policies[0].url).to eq("https://opensource.org/licenses/BSD-3-Clause")
expect(subject.policies[0].classification).to eq("unclassified")
expect(subject.policies[0].spdx_identifier).to eq("BSD-3-Clause")
end
it 'includes a policy for a classified license that was also detected in the scan report' do
expect(subject.policies[1].id).to eq(mit_policy.id)
expect(subject.policies[1].name).to eq(mit.name)
expect(subject.policies[1].url).to eq("https://opensource.org/licenses/MIT")
expect(subject.policies[1].classification).to eq("denied")
expect(subject.policies[1].spdx_identifier).to eq("MIT")
end
it 'includes a policy for a classified license that was not detected in the scan report' do
expect(subject.policies[2].id).to eq(other_license_policy.id)
expect(subject.policies[2].name).to eq(other_license.name)
expect(subject.policies[2].url).to be_blank
expect(subject.policies[2].classification).to eq("allowed")
expect(subject.policies[2].spdx_identifier).to eq(other_license.spdx_identifier)
end
it 'includes a policy for an unclassified and unknown license that was detected in the scan report' do
expect(subject.policies[3].id).to be_nil
expect(subject.policies[3].name).to eq("unknown")
expect(subject.policies[3].url).to be_blank
expect(subject.policies[3].classification).to eq("unclassified")
expect(subject.policies[3].spdx_identifier).to be_nil
end
end
context "when a pipeline has successfully produced a v1.1 license scan report" do
let(:builds) { [create(:ee_ci_build, :license_scan_v1_1, :success)] }
let!(:mit_policy) { create(:software_license_policy, :denied, software_license: mit, project: project) }
......@@ -148,7 +190,7 @@ RSpec.describe SCA::LicenseCompliance do
end
describe "#find_policies" do
let!(:pipeline) { create(:ci_pipeline, :success, project: project, builds: [create(:ee_ci_build, :success, :license_scan_v2)]) }
let!(:pipeline) { create(:ci_pipeline, :success, project: project, builds: [create(:ee_ci_build, :success, :license_scan_v2_1)]) }
let!(:mit_policy) { create(:software_license_policy, :denied, software_license: mit, project: project) }
let!(:other_license_policy) { create(:software_license_policy, :allowed, software_license: other_license, project: project) }
......@@ -171,7 +213,7 @@ RSpec.describe SCA::LicenseCompliance do
results[0],
id: nil,
name: 'BSD 3-Clause "New" or "Revised" License',
url: "http://spdx.org/licenses/BSD-3-Clause.json",
url: "https://opensource.org/licenses/BSD-3-Clause",
classification: "unclassified",
spdx_identifier: "BSD-3-Clause"
)
......@@ -182,7 +224,7 @@ RSpec.describe SCA::LicenseCompliance do
results[1],
id: mit_policy.id,
name: mit.name,
url: "http://spdx.org/licenses/MIT.json",
url: "https://opensource.org/licenses/MIT",
classification: "denied",
spdx_identifier: "MIT"
)
......@@ -225,7 +267,7 @@ RSpec.describe SCA::LicenseCompliance do
results[0],
id: mit_policy.id,
name: mit_policy.software_license.name,
url: 'http://spdx.org/licenses/MIT.json',
url: 'https://opensource.org/licenses/MIT',
classification: "denied",
spdx_identifier: mit_policy.software_license.spdx_identifier
)
......@@ -249,7 +291,7 @@ RSpec.describe SCA::LicenseCompliance do
results[0],
id: mit_policy.id,
name: mit_policy.software_license.name,
url: 'http://spdx.org/licenses/MIT.json',
url: 'https://opensource.org/licenses/MIT',
classification: "denied",
spdx_identifier: mit_policy.software_license.spdx_identifier
)
......@@ -292,7 +334,7 @@ RSpec.describe SCA::LicenseCompliance do
describe "#latest_build_for_default_branch" do
let(:regular_build) { create(:ci_build, :success) }
let(:license_scan_build) { create(:ee_ci_build, :license_scan_v2, :success) }
let(:license_scan_build) { create(:ee_ci_build, :license_scan_v2_1, :success) }
context "when a pipeline has never been completed for the project" do
it { expect(subject.latest_build_for_default_branch).to be_nil }
......
......@@ -19,6 +19,7 @@ license_scanning:
entrypoint: [""]
variables:
LM_REPORT_FILE: gl-license-scanning-report.json
LM_REPORT_VERSION: '2.1'
SETUP_CMD: $LICENSE_MANAGEMENT_SETUP_CMD
allow_failure: true
script:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment