Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
bb2f3475
Commit
bb2f3475
authored
Mar 10, 2020
by
mo khan
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Upgrade to `license_scanning` report v2.1
*
https://gitlab.com/gitlab-org/gitlab/-/issues/37719
parent
67844a61
Changes
8
Show whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
150 additions
and
14 deletions
+150
-14
ee/changelogs/unreleased/37719-default-to-2-1.yml
ee/changelogs/unreleased/37719-default-to-2-1.yml
+5
-0
ee/spec/controllers/projects/licenses_controller_spec.rb
ee/spec/controllers/projects/licenses_controller_spec.rb
+3
-3
ee/spec/factories/ci/builds.rb
ee/spec/factories/ci/builds.rb
+1
-1
ee/spec/factories/ci/job_artifacts.rb
ee/spec/factories/ci/job_artifacts.rb
+1
-1
ee/spec/fixtures/security_reports/gl-license-scanning-report-v2.1.json
...res/security_reports/gl-license-scanning-report-v2.1.json
+50
-0
ee/spec/lib/gitlab/ci/parsers/license_compliance/license_scanning_spec.rb
...ab/ci/parsers/license_compliance/license_scanning_spec.rb
+40
-2
ee/spec/models/sca/license_compliance_spec.rb
ee/spec/models/sca/license_compliance_spec.rb
+49
-7
lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml
...tlab/ci/templates/Security/License-Scanning.gitlab-ci.yml
+1
-0
No files found.
ee/changelogs/unreleased/37719-default-to-2-1.yml
0 → 100644
View file @
bb2f3475
---
title
:
Upgrade to `license_scanning` report v2.1
merge_request
:
34224
author
:
type
:
added
ee/spec/controllers/projects/licenses_controller_spec.rb
View file @
bb2f3475
...
...
@@ -91,7 +91,7 @@ RSpec.describe Projects::LicensesController do
let_it_be
(
:mit_policy
)
{
create
(
:software_license_policy
,
:denied
,
software_license:
mit
,
project:
project
)
}
let_it_be
(
:other_license
)
{
create
(
:software_license
,
spdx_identifier:
"Other-Id"
)
}
let_it_be
(
:other_license_policy
)
{
create
(
:software_license_policy
,
:allowed
,
software_license:
other_license
,
project:
project
)
}
let_it_be
(
:pipeline
)
{
create
(
:ee_ci_pipeline
,
project:
project
,
builds:
[
create
(
:ee_ci_build
,
:license_scan_v2
,
:success
)])
}
let_it_be
(
:pipeline
)
{
create
(
:ee_ci_pipeline
,
project:
project
,
builds:
[
create
(
:ee_ci_build
,
:license_scan_v2
_1
,
:success
)])
}
context
"when loading all policies"
do
before
do
...
...
@@ -116,7 +116,7 @@ RSpec.describe Projects::LicensesController do
"id"
=>
nil
,
"spdx_identifier"
=>
"BSD-3-Clause"
,
"name"
=>
"BSD 3-Clause
\"
New
\"
or
\"
Revised
\"
License"
,
"url"
=>
"http
://spdx.org/licenses/BSD-3-Clause.json
"
,
"url"
=>
"http
s://opensource.org/licenses/BSD-3-Clause
"
,
"classification"
=>
"unclassified"
})
end
...
...
@@ -126,7 +126,7 @@ RSpec.describe Projects::LicensesController do
"id"
=>
mit_policy
.
id
,
"spdx_identifier"
=>
"MIT"
,
"name"
=>
mit
.
name
,
"url"
=>
"http
://spdx.org/licenses/MIT.json
"
,
"url"
=>
"http
s://opensource.org/licenses/MIT
"
,
"classification"
=>
"denied"
})
end
...
...
ee/spec/factories/ci/builds.rb
View file @
bb2f3475
...
...
@@ -114,7 +114,7 @@ FactoryBot.define do
end
end
%w[1 1_1 2]
.
each
do
|
version
|
%w[1 1_1 2
2_1
]
.
each
do
|
version
|
trait
:"license_scan_v
#{
version
}
"
do
after
:build
do
|
build
|
build
.
job_artifacts
<<
build
(
:ee_ci_job_artifact
,
:license_scan
,
:"v
#{
version
}
"
,
job:
build
)
...
...
ee/spec/factories/ci/job_artifacts.rb
View file @
bb2f3475
...
...
@@ -316,7 +316,7 @@ FactoryBot.define do
file_format
{
:raw
}
end
%w[1 1_1 2]
.
each
do
|
version
|
%w[1 1_1 2
2_1
]
.
each
do
|
version
|
trait
:"v
#{
version
}
"
do
after
(
:build
)
do
|
artifact
,
_
|
filename
=
"gl-
#{
artifact
.
file_type
.
dasherize
}
-report-v
#{
version
.
sub
(
/_/
,
'.'
)
}
.json"
...
...
ee/spec/fixtures/security_reports/gl-license-scanning-report-v2.1.json
0 → 100644
View file @
bb2f3475
{
"version"
:
"2.1"
,
"licenses"
:
[
{
"id"
:
"BSD-3-Clause"
,
"name"
:
"BSD 3-Clause
\"
New
\"
or
\"
Revised
\"
License"
,
"url"
:
"https://opensource.org/licenses/BSD-3-Clause"
},
{
"id"
:
"MIT"
,
"name"
:
"MIT License"
,
"url"
:
"https://opensource.org/licenses/MIT"
},
{
"id"
:
"unknown"
,
"name"
:
"unknown"
,
"url"
:
""
}
],
"dependencies"
:
[
{
"name"
:
"a"
,
"version"
:
"1.0.0"
,
"package_manager"
:
"bundler"
,
"path"
:
"Gemfile.lock"
,
"licenses"
:
[
"MIT"
]
},
{
"name"
:
"b"
,
"version"
:
"0.1.0"
,
"package_manager"
:
"yarn"
,
"path"
:
"yarn.lock"
,
"licenses"
:
[
"BSD-3-Clause"
]
},
{
"name"
:
"c"
,
"version"
:
"1.1.0"
,
"package_manager"
:
"bundler"
,
"path"
:
"Gemfile.lock"
,
"licenses"
:
[
"MIT"
,
"BSD-3-Clause"
]
},
{
"name"
:
"d"
,
"version"
:
"1.1.1"
,
"package_manager"
:
"bundler"
,
"path"
:
"Gemfile.lock"
,
"licenses"
:
[
"unknown"
]
}
]
}
ee/spec/lib/gitlab/ci/parsers/license_compliance/license_scanning_spec.rb
View file @
bb2f3475
...
...
@@ -74,10 +74,10 @@ RSpec.describe Gitlab::Ci::Parsers::LicenseCompliance::LicenseScanning do
end
context
'when parsing a valid v2 report'
do
let
(
:v2_data
)
{
fixture_file
(
'security_reports/gl-license-scanning-report-v2.json'
,
dir:
'ee'
)
}
let
(
:v2_
0_
data
)
{
fixture_file
(
'security_reports/gl-license-scanning-report-v2.json'
,
dir:
'ee'
)
}
before
do
subject
.
parse!
(
v2_data
,
report
)
subject
.
parse!
(
v2_
0_
data
,
report
)
end
it
{
expect
(
report
.
version
).
to
eql
(
'2.0'
)
}
...
...
@@ -105,6 +105,44 @@ RSpec.describe Gitlab::Ci::Parsers::LicenseCompliance::LicenseScanning do
it
{
expect
(
report
.
licenses
[
2
].
dependencies
.
map
(
&
:name
)).
to
contain_exactly
(
'd'
)
}
end
context
'when parsing a valid v2.1 report'
do
let
(
:v2_1_data
)
{
fixture_file
(
'security_reports/gl-license-scanning-report-v2.1.json'
,
dir:
'ee'
)
}
before
do
subject
.
parse!
(
v2_1_data
,
report
)
end
it
{
expect
(
report
.
version
).
to
eql
(
'2.1'
)
}
it
{
expect
(
report
.
licenses
.
count
).
to
eq
(
3
)
}
it
'parses the BSD license'
do
expect
(
report
.
licenses
[
0
].
id
).
to
eql
(
'BSD-3-Clause'
)
expect
(
report
.
licenses
[
0
].
name
).
to
eql
(
'BSD 3-Clause "New" or "Revised" License'
)
expect
(
report
.
licenses
[
0
].
url
).
to
eql
(
'https://opensource.org/licenses/BSD-3-Clause'
)
expect
(
report
.
licenses
[
0
].
count
).
to
be
(
2
)
expect
(
report
.
licenses
[
0
].
dependencies
.
count
).
to
be
(
2
)
expect
(
report
.
licenses
[
0
].
dependencies
.
map
(
&
:name
)).
to
contain_exactly
(
'b'
,
'c'
)
end
it
'parses the MIT license'
do
expect
(
report
.
licenses
[
1
].
id
).
to
eql
(
'MIT'
)
expect
(
report
.
licenses
[
1
].
name
).
to
eql
(
'MIT License'
)
expect
(
report
.
licenses
[
1
].
url
).
to
eql
(
'https://opensource.org/licenses/MIT'
)
expect
(
report
.
licenses
[
1
].
count
).
to
be
(
2
)
expect
(
report
.
licenses
[
1
].
dependencies
.
count
).
to
be
(
2
)
expect
(
report
.
licenses
[
1
].
dependencies
.
map
(
&
:name
)).
to
contain_exactly
(
'a'
,
'c'
)
end
it
'parses an unknown license'
do
expect
(
report
.
licenses
[
2
].
id
).
to
be_nil
expect
(
report
.
licenses
[
2
].
name
).
to
eql
(
'unknown'
)
expect
(
report
.
licenses
[
2
].
url
).
to
eql
(
''
)
expect
(
report
.
licenses
[
2
].
count
).
to
be
(
1
)
expect
(
report
.
licenses
[
2
].
dependencies
.
count
).
to
be
(
1
)
expect
(
report
.
licenses
[
2
].
dependencies
.
map
(
&
:name
)).
to
contain_exactly
(
'd'
)
end
end
context
'when parsing a v2 report with a missing license definition'
do
let
(
:v2_data
)
do
{
...
...
ee/spec/models/sca/license_compliance_spec.rb
View file @
bb2f3475
...
...
@@ -57,7 +57,7 @@ RSpec.describe SCA::LicenseCompliance do
context
"when the dependency scan produces a poorly formatted report"
do
let
(
:builds
)
do
[
create
(
:ee_ci_build
,
:success
,
:license_scan_v2
),
create
(
:ee_ci_build
,
:success
,
:license_scan_v2
_1
),
create
(
:ee_ci_build
,
:success
,
:corrupted_dependency_scanning_report
)
]
end
...
...
@@ -107,6 +107,48 @@ RSpec.describe SCA::LicenseCompliance do
end
end
context
"when a pipeline has successfully produced a v2.1 license scan report"
do
let
(
:builds
)
{
[
create
(
:ee_ci_build
,
:success
,
:license_scan_v2_1
)]
}
let!
(
:mit_policy
)
{
create
(
:software_license_policy
,
:denied
,
software_license:
mit
,
project:
project
)
}
let!
(
:other_license_policy
)
{
create
(
:software_license_policy
,
:allowed
,
software_license:
other_license
,
project:
project
)
}
it
"includes a policy for each detected license and classified license"
do
expect
(
subject
.
policies
.
count
).
to
eq
(
4
)
end
it
'includes a policy for a detected license that is unclassified'
do
expect
(
subject
.
policies
[
0
].
id
).
to
be_nil
expect
(
subject
.
policies
[
0
].
name
).
to
eq
(
"BSD 3-Clause
\"
New
\"
or
\"
Revised
\"
License"
)
expect
(
subject
.
policies
[
0
].
url
).
to
eq
(
"https://opensource.org/licenses/BSD-3-Clause"
)
expect
(
subject
.
policies
[
0
].
classification
).
to
eq
(
"unclassified"
)
expect
(
subject
.
policies
[
0
].
spdx_identifier
).
to
eq
(
"BSD-3-Clause"
)
end
it
'includes a policy for a classified license that was also detected in the scan report'
do
expect
(
subject
.
policies
[
1
].
id
).
to
eq
(
mit_policy
.
id
)
expect
(
subject
.
policies
[
1
].
name
).
to
eq
(
mit
.
name
)
expect
(
subject
.
policies
[
1
].
url
).
to
eq
(
"https://opensource.org/licenses/MIT"
)
expect
(
subject
.
policies
[
1
].
classification
).
to
eq
(
"denied"
)
expect
(
subject
.
policies
[
1
].
spdx_identifier
).
to
eq
(
"MIT"
)
end
it
'includes a policy for a classified license that was not detected in the scan report'
do
expect
(
subject
.
policies
[
2
].
id
).
to
eq
(
other_license_policy
.
id
)
expect
(
subject
.
policies
[
2
].
name
).
to
eq
(
other_license
.
name
)
expect
(
subject
.
policies
[
2
].
url
).
to
be_blank
expect
(
subject
.
policies
[
2
].
classification
).
to
eq
(
"allowed"
)
expect
(
subject
.
policies
[
2
].
spdx_identifier
).
to
eq
(
other_license
.
spdx_identifier
)
end
it
'includes a policy for an unclassified and unknown license that was detected in the scan report'
do
expect
(
subject
.
policies
[
3
].
id
).
to
be_nil
expect
(
subject
.
policies
[
3
].
name
).
to
eq
(
"unknown"
)
expect
(
subject
.
policies
[
3
].
url
).
to
be_blank
expect
(
subject
.
policies
[
3
].
classification
).
to
eq
(
"unclassified"
)
expect
(
subject
.
policies
[
3
].
spdx_identifier
).
to
be_nil
end
end
context
"when a pipeline has successfully produced a v1.1 license scan report"
do
let
(
:builds
)
{
[
create
(
:ee_ci_build
,
:license_scan_v1_1
,
:success
)]
}
let!
(
:mit_policy
)
{
create
(
:software_license_policy
,
:denied
,
software_license:
mit
,
project:
project
)
}
...
...
@@ -148,7 +190,7 @@ RSpec.describe SCA::LicenseCompliance do
end
describe
"#find_policies"
do
let!
(
:pipeline
)
{
create
(
:ci_pipeline
,
:success
,
project:
project
,
builds:
[
create
(
:ee_ci_build
,
:success
,
:license_scan_v2
)])
}
let!
(
:pipeline
)
{
create
(
:ci_pipeline
,
:success
,
project:
project
,
builds:
[
create
(
:ee_ci_build
,
:success
,
:license_scan_v2
_1
)])
}
let!
(
:mit_policy
)
{
create
(
:software_license_policy
,
:denied
,
software_license:
mit
,
project:
project
)
}
let!
(
:other_license_policy
)
{
create
(
:software_license_policy
,
:allowed
,
software_license:
other_license
,
project:
project
)
}
...
...
@@ -171,7 +213,7 @@ RSpec.describe SCA::LicenseCompliance do
results
[
0
],
id:
nil
,
name:
'BSD 3-Clause "New" or "Revised" License'
,
url:
"http
://spdx.org/licenses/BSD-3-Clause.json
"
,
url:
"http
s://opensource.org/licenses/BSD-3-Clause
"
,
classification:
"unclassified"
,
spdx_identifier:
"BSD-3-Clause"
)
...
...
@@ -182,7 +224,7 @@ RSpec.describe SCA::LicenseCompliance do
results
[
1
],
id:
mit_policy
.
id
,
name:
mit
.
name
,
url:
"http
://spdx.org/licenses/MIT.json
"
,
url:
"http
s://opensource.org/licenses/MIT
"
,
classification:
"denied"
,
spdx_identifier:
"MIT"
)
...
...
@@ -225,7 +267,7 @@ RSpec.describe SCA::LicenseCompliance do
results
[
0
],
id:
mit_policy
.
id
,
name:
mit_policy
.
software_license
.
name
,
url:
'http
://spdx.org/licenses/MIT.json
'
,
url:
'http
s://opensource.org/licenses/MIT
'
,
classification:
"denied"
,
spdx_identifier:
mit_policy
.
software_license
.
spdx_identifier
)
...
...
@@ -249,7 +291,7 @@ RSpec.describe SCA::LicenseCompliance do
results
[
0
],
id:
mit_policy
.
id
,
name:
mit_policy
.
software_license
.
name
,
url:
'http
://spdx.org/licenses/MIT.json
'
,
url:
'http
s://opensource.org/licenses/MIT
'
,
classification:
"denied"
,
spdx_identifier:
mit_policy
.
software_license
.
spdx_identifier
)
...
...
@@ -292,7 +334,7 @@ RSpec.describe SCA::LicenseCompliance do
describe
"#latest_build_for_default_branch"
do
let
(
:regular_build
)
{
create
(
:ci_build
,
:success
)
}
let
(
:license_scan_build
)
{
create
(
:ee_ci_build
,
:license_scan_v2
,
:success
)
}
let
(
:license_scan_build
)
{
create
(
:ee_ci_build
,
:license_scan_v2
_1
,
:success
)
}
context
"when a pipeline has never been completed for the project"
do
it
{
expect
(
subject
.
latest_build_for_default_branch
).
to
be_nil
}
...
...
lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml
View file @
bb2f3475
...
...
@@ -19,6 +19,7 @@ license_scanning:
entrypoint
:
[
"
"
]
variables
:
LM_REPORT_FILE
:
gl-license-scanning-report.json
LM_REPORT_VERSION
:
'
2.1'
SETUP_CMD
:
$LICENSE_MANAGEMENT_SETUP_CMD
allow_failure
:
true
script
:
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment