Suspect new method of license detection not working
I’m trying to get license detection working on merge requests with the newly recommended method of dependency scanning in the pipeline with an accompanying
I did have a working policy about a week ago, but since I’ve come to revisit this the same policy no longer works.
My test setup
App repo setup
My application repo has the recommended dependency scanning CI template included:
include: - template: Security/Dependency-Scanning.gitlab-ci.yml
npm for package management, with a committed
gemnasium-dependency_scanning job is in the pipeline and it’s uploading a
This repo is configured to look at the security policy repo below for its policies, verified this connection is working as I can see the policy name listed in the UI in the security dashboard.
Security policy repo
This has the following policy defined (created from the GitLab UI and merged into
--- scan_result_policy: - name: Dependency license policy description: foo enabled: true rules: - type: license_finding branches:  match_on_inclusion: false license_types: - MIT license_states: - newly_detected actions: - type: require_approval approvals_required: 1 user_approvers_ids: - 00000 # Once of our maintainers IDs
Now with this configured when I intentionally introduce a package that is licensed with anything except
MIT, I would expect this to enforce an approval from this “Dependency license policy”.
This is not the behavior I’m seeing though. The approval rule is being parsed as it shows in the merge request UI, however it is still marked as optional when I believe it should require 1 approval from the user ID I have defined.
The user ID is correct as I can see the individuals avatar in the approval rule.
I’ve tried adding a couple npm packages in an attempt to trigger this rule to kick in but none have worked:
- require-gpl - GPL-3.0-or-later
- unload - Apache-2.0
jszip - Dual licensed.
I was expecting to test this was detected as
unknownand verify how that interacted with the approval/policy.
I’m at a loss as to what is wrong with my setup that would prevent the behaviour that GitLabs documentation suggests should be happening. I can only deduce that something has changed on the backend side as I did notice about a week ago it was not possible to create a policy via the GitLab UI of the type
license_finding, whereas revisting this today I was able to create the policy all via the UI.
Any GitLab representatives that might know recent releases that could have affected this would be appreciated as I can’t see anything glaringly obviously wrong with the setup I’ve used to verify the functionality.