Commit 1e9a27b5 authored by Gilbert Roulot's avatar Gilbert Roulot Committed by Sean McGivern

Rename licence management artifact

parent a454614d
...@@ -45,6 +45,10 @@ There's also a collection of repositories with [example projects](https://gitlab ...@@ -45,6 +45,10 @@ There's also a collection of repositories with [example projects](https://gitlab
[Analyze code quality with the Code Climate CLI](code_climate.md). [Analyze code quality with the Code Climate CLI](code_climate.md).
## Dependencies license management **[ULTIMATE]**
[Find and manage the licenses of your dependencies](license_management.md).
## Static Application Security Testing (SAST) **[ULTIMATE]** ## Static Application Security Testing (SAST) **[ULTIMATE]**
[Scan your code for vulnerabilities](sast.md) [Scan your code for vulnerabilities](sast.md)
......
# Dependencies license management with GitLab CI/CD
NOTE: **Note:**
In order to use this tool, a [GitLab Ultimate][ee] license
is needed.
This example shows how to run the License Management tool on your
project's dependencies by using GitLab CI/CD.
First, you need GitLab Runner with [docker-in-docker executor](../docker/using_docker_build.md#use-docker-in-docker-executor).
You can then add a new job to `.gitlab-ci.yml`, called `license_management`:
```yaml
license_management:
image: docker:stable
variables:
DOCKER_DRIVER: overlay2
allow_failure: true
services:
- docker:stable-dind
script:
- export LICENSE_MANAGEMENT_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
- docker run
--volume "$PWD:/code"
"registry.gitlab.com/gitlab-org/security-products/license-management:$LICENSE_MANAGEMENT_VERSION" /run.sh /code
artifacts:
paths: [gl-license-management-report.json]
```
The above example will create a `license_management` job in the `test` stage and will create the required report artifact. Check the
[Auto-DevOps template](https://gitlab.com/gitlab-org/gitlab-ci-yml/blob/master/Auto-DevOps.gitlab-ci.yml)
for a full reference.
TIP: **Tip:**
Starting with [GitLab Ultimate][ee] 11.0, this information will
be automatically extracted and shown right in the merge request widget. To do
so, the CI job must be named `license_management` and the artifact path must be
`gl-license-management-report.json`. Make sure your pipeline has a stage named `test`,
or specify another existing stage inside the `license_management` job.
[Learn more on license management results shown in merge requests](../../user/project/merge_requests/license_management.md).
[ee]: https://about.gitlab.com/products/
...@@ -41,6 +41,7 @@ project in an easy and automatic way: ...@@ -41,6 +41,7 @@ project in an easy and automatic way:
1. [Auto Code Quality](#auto-code-quality) 1. [Auto Code Quality](#auto-code-quality)
1. [Auto SAST (Static Application Security Testing)](#auto-sast) 1. [Auto SAST (Static Application Security Testing)](#auto-sast)
1. [Auto Dependency Scanning](#auto-dependency-scanning) 1. [Auto Dependency Scanning](#auto-dependency-scanning)
1. [Auto License Management](#auto-license-management)
1. [Auto Container Scanning](#auto-container-scanning) 1. [Auto Container Scanning](#auto-container-scanning)
1. [Auto Review Apps](#auto-review-apps) 1. [Auto Review Apps](#auto-review-apps)
1. [Auto DAST (Dynamic Application Security Testing)](#auto-dast) 1. [Auto DAST (Dynamic Application Security Testing)](#auto-dast)
...@@ -256,6 +257,19 @@ check out. ...@@ -256,6 +257,19 @@ check out.
In GitLab Ultimate, any security warnings are also In GitLab Ultimate, any security warnings are also
[shown in the merge request widget](../../user/project/merge_requests/dependency_scanning.md). [shown in the merge request widget](../../user/project/merge_requests/dependency_scanning.md).
### Auto License Management **[ULTIMATE]**
> Introduced in [GitLab Ultimate][ee] 11.0.
License Management uses the
[License Management Docker image](https://gitlab.com/gitlab-org/security-products/license_management)
to search the project dependencies for their license. Once the
report is created, it's uploaded as an artifact which you can later download and
check out.
In GitLab Ultimate, any licenses are also
[shown in the merge request widget](../../user/project/merge_requests/license_management.md).
### Auto Container Scanning ### Auto Container Scanning
> Introduced in GitLab 10.4. > Introduced in GitLab 10.4.
......
...@@ -50,6 +50,7 @@ A. Consider you are a software developer working in a team: ...@@ -50,6 +50,7 @@ A. Consider you are a software developer working in a team:
1. You checkout a new branch, and submit your changes through a merge request 1. You checkout a new branch, and submit your changes through a merge request
1. You gather feedback from your team 1. You gather feedback from your team
1. You work on the implementation optimizing code with [Code Quality reports](code_quality_diff.md) **[STARTER]** 1. You work on the implementation optimizing code with [Code Quality reports](code_quality_diff.md) **[STARTER]**
1. You avoid using dependencies whose license is not compatible with your project with [License Management reports](license_management.md) **[ULTIMATE]**
1. You build and test your changes with GitLab CI/CD 1. You build and test your changes with GitLab CI/CD
1. You request the [approval](#merge-request-approvals) from your manager 1. You request the [approval](#merge-request-approvals) from your manager
1. Your manager pushes a commit with his final review, [approves the merge request](#merge-request-approvals), and set it to [merge when pipeline succeeds](#merge-when-pipeline-succeeds) 1. Your manager pushes a commit with his final review, [approves the merge request](#merge-request-approvals), and set it to [merge when pipeline succeeds](#merge-when-pipeline-succeeds)
...@@ -248,6 +249,17 @@ GitLab runs the [Sitespeed.io container][sitespeed-container] and displays the d ...@@ -248,6 +249,17 @@ GitLab runs the [Sitespeed.io container][sitespeed-container] and displays the d
[Read more about Browser Performance Testing.](browser_performance_testing.md) [Read more about Browser Performance Testing.](browser_performance_testing.md)
## License Management **[ULTIMATE]**
> Introduced in [GitLab Ultimate][products] 11.0.
If you are using [GitLab CI/CD][ci], you can search your dependencies for their
licenses using License Management.
Going a step further, GitLab can show the licenses report right in the
merge request widget area.
[Read more about License Management reports.](license_management.md)
## Security reports **[ULTIMATE]** ## Security reports **[ULTIMATE]**
GitLab can scan and report any vulnerabilities found in your project. The GitLab can scan and report any vulnerabilities found in your project. The
......
# License Management
> [Introduced][ee-5483] in [GitLab Ultimate][ee] 11.0.
## Overview
If you are using [GitLab CI/CD][ci], you can search your project dependencies for their licenses
using License Management, either by
including the CI job in your [existing `.gitlab-ci.yml` file][cc-docs] or
by implicitly using [Auto License Management](../../../topics/autodevops/index.md#auto-dependency-scanning)
that is provided by [Auto DevOps](../../../topics/autodevops/index.md).
Going a step further, GitLab can show the licenses list right in the merge
request widget area.
## Use cases
It helps you find licenses that you don't want to use in your project and see
which dependencies use them. For example, your application is using an external (open source)
library whose license is incompatible with yours.
## Supported languages and dependency managers
The following languages and dependency managers are supported.
| Language | Package managers |
|------------|-------------------------------------------------------------------|
| JavaScript | [Bower](https://bower.io/), [npm](https://www.npmjs.com/) |
| Go | [Godep](https://github.com/tools/godep), go get |
| Java | [Gradle](https://gradle.org/), [Maven](https://maven.apache.org/) |
| .NET | [Nuget](https://www.nuget.org/) |
| Python | [pip](https://pip.pypa.io/en/stable/) |
| Ruby | [gem](https://rubygems.org/) |
## How it works
First of all, you need to define a job named `license_management` in your
`.gitlab-ci.yml` file. [Check how the `license_management` job should look like][cc-docs].
In order for the report to show in the merge request, there are two
prerequisites:
- the specified job **must** be named `license_management`
- the resulting report **must** be named `gl-license-management-report.json`
and uploaded as an artifact
The `license_management` job will search the application dependencies for licenses,
the resulting JSON file will be uploaded as an artifact, and
GitLab will then check this file and show the information inside the merge
request.
![License Management Widget](img/license_management.jpg)
[ee-5483]: https://gitlab.com/gitlab-org/gitlab-ee/issues/5483
[ee]: https://about.gitlab.com/products/
[ci]: ../../../ci/README.md
[cc-docs]: ../../../ci/examples/license_management.md
...@@ -11,7 +11,7 @@ module EE ...@@ -11,7 +11,7 @@ module EE
CODECLIMATE_FILE = 'codeclimate.json'.freeze CODECLIMATE_FILE = 'codeclimate.json'.freeze
CODE_QUALITY_FILE = 'gl-code-quality-report.json'.freeze CODE_QUALITY_FILE = 'gl-code-quality-report.json'.freeze
DEPENDENCY_SCANNING_FILE = 'gl-dependency-scanning-report.json'.freeze DEPENDENCY_SCANNING_FILE = 'gl-dependency-scanning-report.json'.freeze
LICENSE_MANAGEMENT_FILE = 'gl-license-report.json'.freeze LICENSE_MANAGEMENT_FILE = 'gl-license-management-report.json'.freeze
SAST_FILE = 'gl-sast-report.json'.freeze SAST_FILE = 'gl-sast-report.json'.freeze
PERFORMANCE_FILE = 'performance.json'.freeze PERFORMANCE_FILE = 'performance.json'.freeze
# SAST_CONTAINER_FILE is deprecated and replaced with CONTAINER_SCANNING_FILE (#5778) # SAST_CONTAINER_FILE is deprecated and replaced with CONTAINER_SCANNING_FILE (#5778)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment