Commit 38f666fa authored by Tetiana Chupryna's avatar Tetiana Chupryna Committed by Aleksei Lipniagov

Fix classification of custom licenses in License Compliance

parent e755595e
...@@ -38,24 +38,24 @@ module SCA ...@@ -38,24 +38,24 @@ module SCA
end end
def report_for(policy) def report_for(policy)
build_policy(license_scan_report[policy.software_license.canonical_id], policy) build_policy(reported_license_by_license_model(policy.software_license), policy)
end end
def diff_with(other) def diff_with(other)
license_scan_report license_scanning_report
.diff_with(other.license_scan_report) .diff_with(other.license_scanning_report)
.transform_values do |reported_licenses| .transform_values do |reported_licenses|
reported_licenses.map do |reported_license| reported_licenses.map do |reported_license|
matching_license_policy = matching_license_policy =
known_policies[reported_license.canonical_id] || known_policies[reported_license.id] ||
known_policies[reported_license&.name&.downcase] known_policies[reported_license&.name&.downcase]
build_policy(reported_license, matching_license_policy) build_policy(reported_license, matching_license_policy)
end end
end end
end end
def license_scan_report def license_scanning_report
strong_memoize(:license_scan_report) do strong_memoize(:license_scanning_report) do
pipeline.blank? ? empty_report : pipeline.license_scanning_report pipeline.blank? ? empty_report : pipeline.license_scanning_report
end end
end end
...@@ -74,9 +74,16 @@ module SCA ...@@ -74,9 +74,16 @@ module SCA
end end
end end
# When the license found in the report doesn't match any license
# of the SPDX License List, we need to find it by name explicitly.
def reported_license_by_license_model(software_license)
license_scanning_report[software_license.canonical_id] ||
license_scanning_report.by_license_name(software_license.name&.downcase)
end
def unclassified_policies def unclassified_policies
license_scan_report.licenses.map do |reported_license| license_scanning_report.licenses.map do |reported_license|
next if known_policies[reported_license.canonical_id] next if known_policies[reported_license.id] || known_policies[reported_license&.name&.downcase]
[reported_license.canonical_id, build_policy(reported_license, nil)] [reported_license.canonical_id, build_policy(reported_license, nil)]
end.compact.to_h end.compact.to_h
......
...@@ -34,7 +34,7 @@ module Gitlab ...@@ -34,7 +34,7 @@ module Gitlab
end end
def by_license_name(name) def by_license_name(name)
licenses.find { |license| license.name == name } licenses.find { |license| license.name.casecmp?(name) }
end end
def apply_details_from!(dependency_list_report) def apply_details_from!(dependency_list_report)
......
...@@ -140,6 +140,12 @@ FactoryBot.define do ...@@ -140,6 +140,12 @@ FactoryBot.define do
end end
end end
trait :license_scanning_custom_license do
after :build do |build|
build.job_artifacts << build(:ee_ci_job_artifact, :license_scanning_custom_license, job: build)
end
end
trait :requirements_report do trait :requirements_report do
after(:build) do |build| after(:build) do |build|
build.job_artifacts << create(:ee_ci_job_artifact, :all_passing_requirements, job: build) build.job_artifacts << create(:ee_ci_job_artifact, :all_passing_requirements, job: build)
......
...@@ -159,6 +159,16 @@ FactoryBot.define do ...@@ -159,6 +159,16 @@ FactoryBot.define do
end end
end end
trait :license_scanning_custom_license do
file_type { :license_scanning }
file_format { :raw }
after(:build) do |artifact, _|
artifact.file = fixture_file_upload(
Rails.root.join('ee/spec/fixtures/security_reports/license_compliance/gl-license-scanning-report-custom-license.json'), 'application/json')
end
end
trait :performance do trait :performance do
file_format { :raw } file_format { :raw }
file_type { :performance } file_type { :performance }
...@@ -338,7 +348,7 @@ FactoryBot.define do ...@@ -338,7 +348,7 @@ FactoryBot.define do
trait :"v#{version}" do trait :"v#{version}" do
after(:build) do |artifact, _| after(:build) do |artifact, _|
filename = "gl-#{artifact.file_type.dasherize}-report-v#{version.sub(/_/, '.')}.json" filename = "gl-#{artifact.file_type.dasherize}-report-v#{version.sub(/_/, '.')}.json"
path = Rails.root.join("ee/spec/fixtures/security_reports/#{filename}") path = Rails.root.join("ee/spec/fixtures/security_reports/license_compliance/#{filename}")
artifact.file = fixture_file_upload(path, "application/json") artifact.file = fixture_file_upload(path, "application/json")
end end
end end
......
...@@ -30,7 +30,7 @@ RSpec.describe 'EE > Projects > Licenses > Maintainer views policies', :js do ...@@ -30,7 +30,7 @@ RSpec.describe 'EE > Projects > Licenses > Maintainer views policies', :js do
let_it_be(:mit_policy) { create(:software_license_policy, :denied, software_license: mit, project: project) } let_it_be(:mit_policy) { create(:software_license_policy, :denied, software_license: mit, project: project) }
let_it_be(:pipeline) { create(:ee_ci_pipeline, project: project, builds: [create(:ee_ci_build, :license_scan_v2, :success)], status: :success) } let_it_be(:pipeline) { create(:ee_ci_pipeline, project: project, builds: [create(:ee_ci_build, :license_scan_v2, :success)], status: :success) }
let(:report) { Gitlab::Json.parse(fixture_file('security_reports/gl-license-scanning-report-v2.json', dir: 'ee')) } let(:report) { Gitlab::Json.parse(fixture_file('security_reports/license_compliance/gl-license-scanning-report-v2.json', dir: 'ee')) }
let(:known_licenses) { report['licenses'].find_all { |license| license['url'].present? } } let(:known_licenses) { report['licenses'].find_all { |license| license['url'].present? } }
it 'displays licenses detected in the most recent scan report' do it 'displays licenses detected in the most recent scan report' do
......
{
"version": "2.1",
"licenses": [
{
"id": "BSD-3-Clause",
"name": "BSD 3-Clause \"New\" or \"Revised\" License",
"url": "https://opensource.org/licenses/BSD-3-Clause"
},
{
"id": "MIT",
"name": "MIT License",
"url": "https://opensource.org/licenses/MIT"
},
{
"id": "foo",
"name": "Foo License",
"url": ""
}
],
"dependencies": [
{
"name": "a",
"version": "1.0.0",
"package_manager": "bundler",
"path": "Gemfile.lock",
"licenses": ["MIT"]
},
{
"name": "b",
"version": "0.1.0",
"package_manager": "yarn",
"path": "yarn.lock",
"licenses": ["BSD-3-Clause"]
},
{
"name": "c",
"version": "1.1.0",
"package_manager": "bundler",
"path": "Gemfile.lock",
"licenses": ["MIT", "BSD-3-Clause"]
},
{
"name": "d",
"version": "1.1.1",
"package_manager": "bundler",
"path": "Gemfile.lock",
"licenses": ["foo"]
}
]
}
...@@ -42,7 +42,7 @@ RSpec.describe Gitlab::Ci::Parsers::LicenseCompliance::LicenseScanning do ...@@ -42,7 +42,7 @@ RSpec.describe Gitlab::Ci::Parsers::LicenseCompliance::LicenseScanning do
end end
context 'when parsing a valid v1.1 report' do context 'when parsing a valid v1.1 report' do
let(:v1_1_data) { fixture_file('security_reports/gl-license-scanning-report-v1.1.json', dir: 'ee') } let(:v1_1_data) { fixture_file('security_reports/license_compliance/gl-license-scanning-report-v1.1.json', dir: 'ee') }
before do before do
subject.parse!(v1_1_data, report) subject.parse!(v1_1_data, report)
...@@ -74,7 +74,7 @@ RSpec.describe Gitlab::Ci::Parsers::LicenseCompliance::LicenseScanning do ...@@ -74,7 +74,7 @@ RSpec.describe Gitlab::Ci::Parsers::LicenseCompliance::LicenseScanning do
end end
context 'when parsing a valid v2 report' do context 'when parsing a valid v2 report' do
let(:v2_0_data) { fixture_file('security_reports/gl-license-scanning-report-v2.json', dir: 'ee') } let(:v2_0_data) { fixture_file('security_reports/license_compliance/gl-license-scanning-report-v2.json', dir: 'ee') }
before do before do
subject.parse!(v2_0_data, report) subject.parse!(v2_0_data, report)
...@@ -106,7 +106,7 @@ RSpec.describe Gitlab::Ci::Parsers::LicenseCompliance::LicenseScanning do ...@@ -106,7 +106,7 @@ RSpec.describe Gitlab::Ci::Parsers::LicenseCompliance::LicenseScanning do
end end
context 'when parsing a valid v2.1 report' do context 'when parsing a valid v2.1 report' do
let(:v2_1_data) { fixture_file('security_reports/gl-license-scanning-report-v2.1.json', dir: 'ee') } let(:v2_1_data) { fixture_file('security_reports/license_compliance/gl-license-scanning-report-v2.1.json', dir: 'ee') }
before do before do
subject.parse!(v2_1_data, report) subject.parse!(v2_1_data, report)
......
...@@ -11,7 +11,7 @@ RSpec.describe Gitlab::Ci::Reports::LicenseScanning::Report do ...@@ -11,7 +11,7 @@ RSpec.describe Gitlab::Ci::Reports::LicenseScanning::Report do
let(:report) { build(:ci_reports_license_scanning_report, :report_2) } let(:report) { build(:ci_reports_license_scanning_report, :report_2) }
context 'with existing license' do context 'with existing license' do
let(:name) { 'MIT' } let(:name) { 'MIt' }
it 'finds right name' do it 'finds right name' do
is_expected.to be_a(Gitlab::Ci::Reports::LicenseScanning::License) is_expected.to be_a(Gitlab::Ci::Reports::LicenseScanning::License)
...@@ -290,7 +290,7 @@ RSpec.describe Gitlab::Ci::Reports::LicenseScanning::Report do ...@@ -290,7 +290,7 @@ RSpec.describe Gitlab::Ci::Reports::LicenseScanning::Report do
context 'when parsing a v2 report' do context 'when parsing a v2 report' do
subject { described_class.parse_from(v2_json) } subject { described_class.parse_from(v2_json) }
let(:v2_json) { fixture_file('security_reports/gl-license-scanning-report-v2.json', dir: 'ee') } let(:v2_json) { fixture_file('security_reports/license_compliance/gl-license-scanning-report-v2.json', dir: 'ee') }
it { expect(subject.version).to eql('2.0') } it { expect(subject.version).to eql('2.0') }
it { expect(subject.licenses.count).to eq(3) } it { expect(subject.licenses.count).to eq(3) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment