Suspect new method of license detection not working
I’m trying to get license detection working on merge requests with the newly recommended method of dependency scanning in the pipeline with an accompanying license_finding
policy.
I did have a working policy about a week ago, but since I’ve come to revisit this the same policy no longer works.
My test setup
App repo setup
My application repo has the recommended dependency scanning CI template included:
include:
- template: Security/Dependency-Scanning.gitlab-ci.yml
I’m using npm
for package management, with a committed package-lock.json
.
The gemnasium-dependency_scanning
job is in the pipeline and it’s uploading a gl-sbom-npm-npm.cdx.json
artifact.
This repo is configured to look at the security policy repo below for its policies, verified this connection is working as I can see the policy name listed in the UI in the security dashboard.
Security policy repo
This has the following policy defined (created from the GitLab UI and merged into main
)
---
scan_result_policy:
- name: Dependency license policy
description: foo
enabled: true
rules:
- type: license_finding
branches: []
match_on_inclusion: false
license_types:
- MIT
license_states:
- newly_detected
actions:
- type: require_approval
approvals_required: 1
user_approvers_ids:
- 00000 # Once of our maintainers IDs
Now with this configured when I intentionally introduce a package that is licensed with anything except MIT
, I would expect this to enforce an approval from this “Dependency license policy”.
This is not the behavior I’m seeing though. The approval rule is being parsed as it shows in the merge request UI, however it is still marked as optional when I believe it should require 1 approval from the user ID I have defined.
The user ID is correct as I can see the individuals avatar in the approval rule.
I’ve tried adding a couple npm packages in an attempt to trigger this rule to kick in but none have worked:
- require-gpl - GPL-3.0-or-later
- unload - Apache-2.0
-
jszip - Dual licensed.
I was expecting to test this was detected asunknown
and verify how that interacted with the approval/policy.
I’m at a loss as to what is wrong with my setup that would prevent the behaviour that GitLabs documentation suggests should be happening. I can only deduce that something has changed on the backend side as I did notice about a week ago it was not possible to create a policy via the GitLab UI of the type license_finding
, whereas revisting this today I was able to create the policy all via the UI.
Any GitLab representatives that might know recent releases that could have affected this would be appreciated as I can’t see anything glaringly obviously wrong with the setup I’ve used to verify the functionality.