New license approval policy not working as expected

Suspect new method of license detection not working

I’m trying to get license detection working on merge requests with the newly recommended method of dependency scanning in the pipeline with an accompanying license_finding policy.

I did have a working policy about a week ago, but since I’ve come to revisit this the same policy no longer works.

My test setup

App repo setup

My application repo has the recommended dependency scanning CI template included:

include:
  - template: Security/Dependency-Scanning.gitlab-ci.yml

I’m using npm for package management, with a committed package-lock.json.

The gemnasium-dependency_scanning job is in the pipeline and it’s uploading a gl-sbom-npm-npm.cdx.json artifact.

This repo is configured to look at the security policy repo below for its policies, verified this connection is working as I can see the policy name listed in the UI in the security dashboard.

Security policy repo

This has the following policy defined (created from the GitLab UI and merged into main)

---
scan_result_policy:
- name: Dependency license policy
  description: foo
  enabled: true
  rules:
  - type: license_finding
    branches: []
    match_on_inclusion: false
    license_types:
     - MIT
    license_states:
    - newly_detected
  actions:
  - type: require_approval
    approvals_required: 1
    user_approvers_ids:
    - 00000 # Once of our maintainers IDs

Now with this configured when I intentionally introduce a package that is licensed with anything except MIT, I would expect this to enforce an approval from this “Dependency license policy”.

This is not the behavior I’m seeing though. The approval rule is being parsed as it shows in the merge request UI, however it is still marked as optional when I believe it should require 1 approval from the user ID I have defined.

The user ID is correct as I can see the individuals avatar in the approval rule.

I’ve tried adding a couple npm packages in an attempt to trigger this rule to kick in but none have worked:

  • require-gpl - GPL-3.0-or-later
  • unload - Apache-2.0
  • jszip - Dual licensed.
    I was expecting to test this was detected as unknown and verify how that interacted with the approval/policy.

I’m at a loss as to what is wrong with my setup that would prevent the behaviour that GitLabs documentation suggests should be happening. I can only deduce that something has changed on the backend side as I did notice about a week ago it was not possible to create a policy via the GitLab UI of the type license_finding, whereas revisting this today I was able to create the policy all via the UI.

Any GitLab representatives that might know recent releases that could have affected this would be appreciated as I can’t see anything glaringly obviously wrong with the setup I’ve used to verify the functionality.

Links I’ve been reading to understand GitLabs feature:

Looks like I’ve missed the incident reported on GitLab status page explaining exactly what I’ve described here!

Will keep on eye on that to re-verify once it’s reportedly re-enabled.

1 Like