Merge branch '285120-fix-pipeline-not-pick-license-policies' into 'master'

Fix classification of custom licenses in License Compliance See merge request gitlab-org/gitlab!71746

Merge branch '285120-fix-pipeline-not-pick-license-policies' into 'master'
Fix classification of custom licenses in License Compliance See merge request gitlab-org/gitlab!71746
1e6a860a · Aleksei Lipniagov · 7e85d6c5 · 38f666fa · 1e6a860a · 1e6a860a
Commit 1e6a860a authored Oct 13, 2021 by Aleksei Lipniagov
12 changed files
--- a/ee/app/models/sca/license_compliance.rb
+++ b/ee/app/models/sca/license_compliance.rb
@@ -38,24 +38,24 @@ module SCA
    end

    def report_for(policy)
-      build_policy(license_scan_report[policy.software_license.canonical_id], policy)
+      build_policy(reported_license_by_license_model(policy.software_license), policy)
    end

    def diff_with(other)
-      license_scan_report
-        .diff_with(other.license_scan_report)
+      license_scanning_report
+        .diff_with(other.license_scanning_report)
        .transform_values do |reported_licenses|
          reported_licenses.map do |reported_license|
            matching_license_policy =
-              known_policies[reported_license.canonical_id] ||
+              known_policies[reported_license.id] ||
              known_policies[reported_license&.name&.downcase]
            build_policy(reported_license, matching_license_policy)
          end
        end
    end

-    def license_scan_report
-      strong_memoize(:license_scan_report) do
+    def license_scanning_report
+      strong_memoize(:license_scanning_report) do
        pipeline.blank? ? empty_report : pipeline.license_scanning_report
      end
    end
@@ -74,9 +74,16 @@ module SCA
      end
    end

+    # When the license found in the report doesn't match any license
+    # of the SPDX License List, we need to find it by name explicitly.
+    def reported_license_by_license_model(software_license)
+      license_scanning_report[software_license.canonical_id] ||
+        license_scanning_report.by_license_name(software_license.name&.downcase)
+    end
+
    def unclassified_policies
-      license_scan_report.licenses.map do |reported_license|
-        next if known_policies[reported_license.canonical_id]
+      license_scanning_report.licenses.map do |reported_license|
+        next if known_policies[reported_license.id] || known_policies[reported_license&.name&.downcase]

        [reported_license.canonical_id, build_policy(reported_license, nil)]
      end.compact.to_h

--- a/ee/lib/gitlab/ci/reports/license_scanning/report.rb
+++ b/ee/lib/gitlab/ci/reports/license_scanning/report.rb
@@ -34,7 +34,7 @@ module Gitlab
          end

          def by_license_name(name)
-            licenses.find { |license| license.name == name }
+            licenses.find { |license| license.name.casecmp?(name) }
          end

          def apply_details_from!(dependency_list_report)

--- a/ee/spec/factories/ci/builds.rb
+++ b/ee/spec/factories/ci/builds.rb
@@ -140,6 +140,12 @@ FactoryBot.define do
      end
    end

+    trait :license_scanning_custom_license do
+      after :build do |build|
+        build.job_artifacts << build(:ee_ci_job_artifact, :license_scanning_custom_license, job: build)
+      end
+    end
+
    trait :requirements_report do
      after(:build) do |build|
        build.job_artifacts << create(:ee_ci_job_artifact, :all_passing_requirements, job: build)

--- a/ee/spec/factories/ci/job_artifacts.rb
+++ b/ee/spec/factories/ci/job_artifacts.rb
@@ -159,6 +159,16 @@ FactoryBot.define do
      end
    end

+    trait :license_scanning_custom_license do
+      file_type { :license_scanning }
+      file_format { :raw }
+
+      after(:build) do |artifact, _|
+        artifact.file = fixture_file_upload(
+          Rails.root.join('ee/spec/fixtures/security_reports/license_compliance/gl-license-scanning-report-custom-license.json'), 'application/json')
+      end
+    end
+
    trait :performance do
      file_format { :raw }
      file_type { :performance }
@@ -338,7 +348,7 @@ FactoryBot.define do
      trait :"v#{version}" do
        after(:build) do |artifact, _|
          filename = "gl-#{artifact.file_type.dasherize}-report-v#{version.sub(/_/, '.')}.json"
-          path = Rails.root.join("ee/spec/fixtures/security_reports/#{filename}")
+          path = Rails.root.join("ee/spec/fixtures/security_reports/license_compliance/#{filename}")
          artifact.file = fixture_file_upload(path, "application/json")
        end
      end

--- a/ee/spec/features/projects/licenses/maintainer_views_policies_spec.rb
+++ b/ee/spec/features/projects/licenses/maintainer_views_policies_spec.rb
@@ -30,7 +30,7 @@ RSpec.describe 'EE > Projects > Licenses > Maintainer views policies', :js do
    let_it_be(:mit_policy) { create(:software_license_policy, :denied, software_license: mit, project: project) }
    let_it_be(:pipeline) { create(:ee_ci_pipeline, project: project, builds: [create(:ee_ci_build, :license_scan_v2, :success)], status: :success) }

-    let(:report) { Gitlab::Json.parse(fixture_file('security_reports/gl-license-scanning-report-v2.json', dir: 'ee')) }
+    let(:report) { Gitlab::Json.parse(fixture_file('security_reports/license_compliance/gl-license-scanning-report-v2.json', dir: 'ee')) }
    let(:known_licenses) { report['licenses'].find_all { |license| license['url'].present? } }

    it 'displays licenses detected in the most recent scan report' do

--- a/ee/spec/fixtures/security_reports/license_compliance/gl-license-scanning-report-custom-license.json
+++ b/ee/spec/fixtures/security_reports/license_compliance/gl-license-scanning-report-custom-license.json
+{
+  "version": "2.1",
+  "licenses": [
+    {
+      "id": "BSD-3-Clause",
+      "name": "BSD 3-Clause \"New\" or \"Revised\" License",
+      "url": "https://opensource.org/licenses/BSD-3-Clause"
+    },
+    {
+      "id": "MIT",
+      "name": "MIT License",
+      "url": "https://opensource.org/licenses/MIT"
+    },
+    {
+      "id": "foo",
+      "name": "Foo License",
+      "url": ""
+    }
+  ],
+  "dependencies": [
+    {
+      "name": "a",
+      "version": "1.0.0",
+      "package_manager": "bundler",
+      "path": "Gemfile.lock",
+      "licenses": ["MIT"]
+    },
+    {
+      "name": "b",
+      "version": "0.1.0",
+      "package_manager": "yarn",
+      "path": "yarn.lock",
+      "licenses": ["BSD-3-Clause"]
+    },
+    {
+      "name": "c",
+      "version": "1.1.0",
+      "package_manager": "bundler",
+      "path": "Gemfile.lock",
+      "licenses": ["MIT", "BSD-3-Clause"]
+    },
+    {
+      "name": "d",
+      "version": "1.1.1",
+      "package_manager": "bundler",
+      "path": "Gemfile.lock",
+      "licenses": ["foo"]
+    }
+  ]
+}
--- a/ee/spec/fixtures/security_reports/gl-license-scanning-report-v1.1.json
+++ b/ee/spec/fixtures/security_reports/gl-license-scanning-report-v1.1.json
--- a/ee/spec/fixtures/security_reports/gl-license-scanning-report-v2.1.json
+++ b/ee/spec/fixtures/security_reports/gl-license-scanning-report-v2.1.json
--- a/ee/spec/fixtures/security_reports/gl-license-scanning-report-v2.json
+++ b/ee/spec/fixtures/security_reports/gl-license-scanning-report-v2.json
--- a/ee/spec/lib/gitlab/ci/parsers/license_compliance/license_scanning_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/license_compliance/license_scanning_spec.rb
@@ -42,7 +42,7 @@ RSpec.describe Gitlab::Ci::Parsers::LicenseCompliance::LicenseScanning do
    end

    context 'when parsing a valid v1.1 report' do
-      let(:v1_1_data) { fixture_file('security_reports/gl-license-scanning-report-v1.1.json', dir: 'ee') }
+      let(:v1_1_data) { fixture_file('security_reports/license_compliance/gl-license-scanning-report-v1.1.json', dir: 'ee') }

      before do
        subject.parse!(v1_1_data, report)
@@ -74,7 +74,7 @@ RSpec.describe Gitlab::Ci::Parsers::LicenseCompliance::LicenseScanning do
    end

    context 'when parsing a valid v2 report' do
-      let(:v2_0_data) { fixture_file('security_reports/gl-license-scanning-report-v2.json', dir: 'ee') }
+      let(:v2_0_data) { fixture_file('security_reports/license_compliance/gl-license-scanning-report-v2.json', dir: 'ee') }

      before do
        subject.parse!(v2_0_data, report)
@@ -106,7 +106,7 @@ RSpec.describe Gitlab::Ci::Parsers::LicenseCompliance::LicenseScanning do
    end

    context 'when parsing a valid v2.1 report' do
-      let(:v2_1_data) { fixture_file('security_reports/gl-license-scanning-report-v2.1.json', dir: 'ee') }
+      let(:v2_1_data) { fixture_file('security_reports/license_compliance/gl-license-scanning-report-v2.1.json', dir: 'ee') }

      before do
        subject.parse!(v2_1_data, report)

--- a/ee/spec/lib/gitlab/ci/reports/license_scanning/report_spec.rb
+++ b/ee/spec/lib/gitlab/ci/reports/license_scanning/report_spec.rb
@@ -11,7 +11,7 @@ RSpec.describe Gitlab::Ci::Reports::LicenseScanning::Report do
    let(:report) { build(:ci_reports_license_scanning_report, :report_2) }

    context 'with existing license' do
-      let(:name) { 'MIT' }
+      let(:name) { 'MIt' }

      it 'finds right name' do
        is_expected.to be_a(Gitlab::Ci::Reports::LicenseScanning::License)
@@ -290,7 +290,7 @@ RSpec.describe Gitlab::Ci::Reports::LicenseScanning::Report do
    context 'when parsing a v2 report' do
      subject { described_class.parse_from(v2_json) }

-      let(:v2_json) { fixture_file('security_reports/gl-license-scanning-report-v2.json', dir: 'ee') }
+      let(:v2_json) { fixture_file('security_reports/license_compliance/gl-license-scanning-report-v2.json', dir: 'ee') }

      it { expect(subject.version).to eql('2.0') }
      it { expect(subject.licenses.count).to eq(3) }

--- a/ee/spec/models/sca/license_compliance_spec.rb
+++ b/ee/spec/models/sca/license_compliance_spec.rb