Merge branch '37719-default-to-2-1' into 'master'

Upgrade to `license_scanning` report v2.1 See merge request gitlab-org/gitlab!34224

Merge branch '37719-default-to-2-1' into 'master'
Upgrade to `license_scanning` report v2.1 See merge request gitlab-org/gitlab!34224
c4d0f6a0 · James Fargher · 45b671aa · bb2f3475 · c4d0f6a0 · c4d0f6a0
Commit c4d0f6a0 authored Jun 15, 2020 by James Fargher
8 changed files
--- a/ee/changelogs/unreleased/37719-default-to-2-1.yml
+++ b/ee/changelogs/unreleased/37719-default-to-2-1.yml
+---
+title: Upgrade to `license_scanning` report v2.1
+merge_request: 34224
+author:
+type: added
--- a/ee/spec/controllers/projects/licenses_controller_spec.rb
+++ b/ee/spec/controllers/projects/licenses_controller_spec.rb
@@ -91,7 +91,7 @@ RSpec.describe Projects::LicensesController do
            let_it_be(:mit_policy) { create(:software_license_policy, :denied, software_license: mit, project: project) }
            let_it_be(:other_license) { create(:software_license, spdx_identifier: "Other-Id") }
            let_it_be(:other_license_policy) { create(:software_license_policy, :allowed, software_license: other_license, project: project) }
-            let_it_be(:pipeline) { create(:ee_ci_pipeline, project: project, builds: [create(:ee_ci_build, :license_scan_v2, :success)]) }
+            let_it_be(:pipeline) { create(:ee_ci_pipeline, project: project, builds: [create(:ee_ci_build, :license_scan_v2_1, :success)]) }

            context "when loading all policies" do
              before do
@@ -116,7 +116,7 @@ RSpec.describe Projects::LicensesController do
                  "id" => nil,
                  "spdx_identifier" => "BSD-3-Clause",
                  "name" => "BSD 3-Clause \"New\" or \"Revised\" License",
-                  "url" => "http://spdx.org/licenses/BSD-3-Clause.json",
+                  "url" => "https://opensource.org/licenses/BSD-3-Clause",
                  "classification" => "unclassified"
                })
              end
@@ -126,7 +126,7 @@ RSpec.describe Projects::LicensesController do
                  "id" => mit_policy.id,
                  "spdx_identifier" => "MIT",
                  "name" => mit.name,
-                  "url" => "http://spdx.org/licenses/MIT.json",
+                  "url" => "https://opensource.org/licenses/MIT",
                  "classification" => "denied"
                })
              end

--- a/ee/spec/factories/ci/builds.rb
+++ b/ee/spec/factories/ci/builds.rb
@@ -114,7 +114,7 @@ FactoryBot.define do
      end
    end

-    %w[1 1_1 2].each do |version|
+    %w[1 1_1 2 2_1].each do |version|
      trait :"license_scan_v#{version}" do
        after :build do |build|
          build.job_artifacts << build(:ee_ci_job_artifact, :license_scan, :"v#{version}", job: build)

--- a/ee/spec/factories/ci/job_artifacts.rb
+++ b/ee/spec/factories/ci/job_artifacts.rb
@@ -316,7 +316,7 @@ FactoryBot.define do
      file_format { :raw }
    end

-    %w[1 1_1 2].each do |version|
+    %w[1 1_1 2 2_1].each do |version|
      trait :"v#{version}" do
        after(:build) do |artifact, _|
          filename = "gl-#{artifact.file_type.dasherize}-report-v#{version.sub(/_/, '.')}.json"

--- a/ee/spec/fixtures/security_reports/gl-license-scanning-report-v2.1.json
+++ b/ee/spec/fixtures/security_reports/gl-license-scanning-report-v2.1.json
+{
+  "version": "2.1",
+  "licenses": [
+    {
+      "id": "BSD-3-Clause",
+      "name": "BSD 3-Clause \"New\" or \"Revised\" License",
+      "url": "https://opensource.org/licenses/BSD-3-Clause"
+    },
+    {
+      "id": "MIT",
+      "name": "MIT License",
+      "url": "https://opensource.org/licenses/MIT"
+    },
+    {
+      "id": "unknown",
+      "name": "unknown",
+      "url": ""
+    }
+  ],
+  "dependencies": [
+    {
+      "name": "a",
+      "version": "1.0.0",
+      "package_manager": "bundler",
+      "path": "Gemfile.lock",
+      "licenses": ["MIT"]
+    },
+    {
+      "name": "b",
+      "version": "0.1.0",
+      "package_manager": "yarn",
+      "path": "yarn.lock",
+      "licenses": ["BSD-3-Clause"]
+    },
+    {
+      "name": "c",
+      "version": "1.1.0",
+      "package_manager": "bundler",
+      "path": "Gemfile.lock",
+      "licenses": ["MIT", "BSD-3-Clause"]
+    },
+    {
+      "name": "d",
+      "version": "1.1.1",
+      "package_manager": "bundler",
+      "path": "Gemfile.lock",
+      "licenses": ["unknown"]
+    }
+  ]
+}
--- a/ee/spec/lib/gitlab/ci/parsers/license_compliance/license_scanning_spec.rb
+++ b/ee/spec/lib/gitlab/ci/parsers/license_compliance/license_scanning_spec.rb
@@ -74,10 +74,10 @@ RSpec.describe Gitlab::Ci::Parsers::LicenseCompliance::LicenseScanning do
    end

    context 'when parsing a valid v2 report' do
-      let(:v2_data) { fixture_file('security_reports/gl-license-scanning-report-v2.json', dir: 'ee') }
+      let(:v2_0_data) { fixture_file('security_reports/gl-license-scanning-report-v2.json', dir: 'ee') }

      before do
-        subject.parse!(v2_data, report)
+        subject.parse!(v2_0_data, report)
      end

      it { expect(report.version).to eql('2.0') }
@@ -105,6 +105,44 @@ RSpec.describe Gitlab::Ci::Parsers::LicenseCompliance::LicenseScanning do
      it { expect(report.licenses[2].dependencies.map(&:name)).to contain_exactly('d') }
    end

+    context 'when parsing a valid v2.1 report' do
+      let(:v2_1_data) { fixture_file('security_reports/gl-license-scanning-report-v2.1.json', dir: 'ee') }
+
+      before do
+        subject.parse!(v2_1_data, report)
+      end
+
+      it { expect(report.version).to eql('2.1') }
+      it { expect(report.licenses.count).to eq(3) }
+
+      it 'parses the BSD license' do
+        expect(report.licenses[0].id).to eql('BSD-3-Clause')
+        expect(report.licenses[0].name).to eql('BSD 3-Clause "New" or "Revised" License')
+        expect(report.licenses[0].url).to eql('https://opensource.org/licenses/BSD-3-Clause')
+        expect(report.licenses[0].count).to be(2)
+        expect(report.licenses[0].dependencies.count).to be(2)
+        expect(report.licenses[0].dependencies.map(&:name)).to contain_exactly('b', 'c')
+      end
+
+      it 'parses the MIT license' do
+        expect(report.licenses[1].id).to eql('MIT')
+        expect(report.licenses[1].name).to eql('MIT License')
+        expect(report.licenses[1].url).to eql('https://opensource.org/licenses/MIT')
+        expect(report.licenses[1].count).to be(2)
+        expect(report.licenses[1].dependencies.count).to be(2)
+        expect(report.licenses[1].dependencies.map(&:name)).to contain_exactly('a', 'c')
+      end
+
+      it 'parses an unknown license' do
+        expect(report.licenses[2].id).to be_nil
+        expect(report.licenses[2].name).to eql('unknown')
+        expect(report.licenses[2].url).to eql('')
+        expect(report.licenses[2].count).to be(1)
+        expect(report.licenses[2].dependencies.count).to be(1)
+        expect(report.licenses[2].dependencies.map(&:name)).to contain_exactly('d')
+      end
+    end
+
    context 'when parsing a v2 report with a missing license definition' do
      let(:v2_data) do
        {

--- a/ee/spec/models/sca/license_compliance_spec.rb
+++ b/ee/spec/models/sca/license_compliance_spec.rb
@@ -57,7 +57,7 @@ RSpec.describe SCA::LicenseCompliance do
      context "when the dependency scan produces a poorly formatted report" do
        let(:builds) do
          [
-            create(:ee_ci_build, :success, :license_scan_v2),
+            create(:ee_ci_build, :success, :license_scan_v2_1),
            create(:ee_ci_build, :success, :corrupted_dependency_scanning_report)
          ]
        end
@@ -107,6 +107,48 @@ RSpec.describe SCA::LicenseCompliance do
        end
      end

+      context "when a pipeline has successfully produced a v2.1 license scan report" do
+        let(:builds) { [create(:ee_ci_build, :success, :license_scan_v2_1)] }
+        let!(:mit_policy) { create(:software_license_policy, :denied, software_license: mit, project: project) }
+        let!(:other_license_policy) { create(:software_license_policy, :allowed, software_license: other_license, project: project) }
+
+        it "includes a policy for each detected license and classified license" do
+          expect(subject.policies.count).to eq(4)
+        end
+
+        it 'includes a policy for a detected license that is unclassified' do
+          expect(subject.policies[0].id).to be_nil
+          expect(subject.policies[0].name).to eq("BSD 3-Clause \"New\" or \"Revised\" License")
+          expect(subject.policies[0].url).to eq("https://opensource.org/licenses/BSD-3-Clause")
+          expect(subject.policies[0].classification).to eq("unclassified")
+          expect(subject.policies[0].spdx_identifier).to eq("BSD-3-Clause")
+        end
+
+        it 'includes a policy for a classified license that was also detected in the scan report' do
+          expect(subject.policies[1].id).to eq(mit_policy.id)
+          expect(subject.policies[1].name).to eq(mit.name)
+          expect(subject.policies[1].url).to eq("https://opensource.org/licenses/MIT")
+          expect(subject.policies[1].classification).to eq("denied")
+          expect(subject.policies[1].spdx_identifier).to eq("MIT")
+        end
+
+        it 'includes a policy for a classified license that was not detected in the scan report' do
+          expect(subject.policies[2].id).to eq(other_license_policy.id)
+          expect(subject.policies[2].name).to eq(other_license.name)
+          expect(subject.policies[2].url).to be_blank
+          expect(subject.policies[2].classification).to eq("allowed")
+          expect(subject.policies[2].spdx_identifier).to eq(other_license.spdx_identifier)
+        end
+
+        it 'includes a policy for an unclassified and unknown license that was detected in the scan report' do
+          expect(subject.policies[3].id).to be_nil
+          expect(subject.policies[3].name).to eq("unknown")
+          expect(subject.policies[3].url).to be_blank
+          expect(subject.policies[3].classification).to eq("unclassified")
+          expect(subject.policies[3].spdx_identifier).to be_nil
+        end
+      end
+
      context "when a pipeline has successfully produced a v1.1 license scan report" do
        let(:builds) { [create(:ee_ci_build, :license_scan_v1_1, :success)] }
        let!(:mit_policy) { create(:software_license_policy, :denied, software_license: mit, project: project) }
@@ -148,7 +190,7 @@ RSpec.describe SCA::LicenseCompliance do
  end

  describe "#find_policies" do
-    let!(:pipeline) { create(:ci_pipeline, :success, project: project, builds: [create(:ee_ci_build, :success, :license_scan_v2)]) }
+    let!(:pipeline) { create(:ci_pipeline, :success, project: project, builds: [create(:ee_ci_build, :success, :license_scan_v2_1)]) }
    let!(:mit_policy) { create(:software_license_policy, :denied, software_license: mit, project: project) }
    let!(:other_license_policy) { create(:software_license_policy, :allowed, software_license: other_license, project: project) }

@@ -171,7 +213,7 @@ RSpec.describe SCA::LicenseCompliance do
          results[0],
          id: nil,
          name: 'BSD 3-Clause "New" or "Revised" License',
-          url: "http://spdx.org/licenses/BSD-3-Clause.json",
+          url: "https://opensource.org/licenses/BSD-3-Clause",
          classification: "unclassified",
          spdx_identifier: "BSD-3-Clause"
        )
@@ -182,7 +224,7 @@ RSpec.describe SCA::LicenseCompliance do
          results[1],
          id: mit_policy.id,
          name: mit.name,
-          url: "http://spdx.org/licenses/MIT.json",
+          url: "https://opensource.org/licenses/MIT",
          classification: "denied",
          spdx_identifier: "MIT"
        )
@@ -225,7 +267,7 @@ RSpec.describe SCA::LicenseCompliance do
          results[0],
          id: mit_policy.id,
          name: mit_policy.software_license.name,
-          url: 'http://spdx.org/licenses/MIT.json',
+          url: 'https://opensource.org/licenses/MIT',
          classification: "denied",
          spdx_identifier: mit_policy.software_license.spdx_identifier
        )
@@ -249,7 +291,7 @@ RSpec.describe SCA::LicenseCompliance do
          results[0],
          id: mit_policy.id,
          name: mit_policy.software_license.name,
-          url: 'http://spdx.org/licenses/MIT.json',
+          url: 'https://opensource.org/licenses/MIT',
          classification: "denied",
          spdx_identifier: mit_policy.software_license.spdx_identifier
        )
@@ -292,7 +334,7 @@ RSpec.describe SCA::LicenseCompliance do

  describe "#latest_build_for_default_branch" do
    let(:regular_build) { create(:ci_build, :success) }
-    let(:license_scan_build) { create(:ee_ci_build, :license_scan_v2, :success) }
+    let(:license_scan_build) { create(:ee_ci_build, :license_scan_v2_1, :success) }

    context "when a pipeline has never been completed for the project" do
      it { expect(subject.latest_build_for_default_branch).to be_nil }

--- a/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml
@@ -19,6 +19,7 @@ license_scanning:
    entrypoint: [""]
  variables:
    LM_REPORT_FILE: gl-license-scanning-report.json
+    LM_REPORT_VERSION: '2.1'
    SETUP_CMD: $LICENSE_MANAGEMENT_SETUP_CMD
  allow_failure: true
  script: