Commit c4d0f6a0 authored by James Fargher's avatar James Fargher

Merge branch '37719-default-to-2-1' into 'master'

Upgrade to `license_scanning` report v2.1

See merge request gitlab-org/gitlab!34224
parents 45b671aa bb2f3475
---
title: Upgrade to `license_scanning` report v2.1
merge_request: 34224
author:
type: added
...@@ -91,7 +91,7 @@ RSpec.describe Projects::LicensesController do ...@@ -91,7 +91,7 @@ RSpec.describe Projects::LicensesController do
let_it_be(:mit_policy) { create(:software_license_policy, :denied, software_license: mit, project: project) } let_it_be(:mit_policy) { create(:software_license_policy, :denied, software_license: mit, project: project) }
let_it_be(:other_license) { create(:software_license, spdx_identifier: "Other-Id") } let_it_be(:other_license) { create(:software_license, spdx_identifier: "Other-Id") }
let_it_be(:other_license_policy) { create(:software_license_policy, :allowed, software_license: other_license, project: project) } let_it_be(:other_license_policy) { create(:software_license_policy, :allowed, software_license: other_license, project: project) }
let_it_be(:pipeline) { create(:ee_ci_pipeline, project: project, builds: [create(:ee_ci_build, :license_scan_v2, :success)]) } let_it_be(:pipeline) { create(:ee_ci_pipeline, project: project, builds: [create(:ee_ci_build, :license_scan_v2_1, :success)]) }
context "when loading all policies" do context "when loading all policies" do
before do before do
...@@ -116,7 +116,7 @@ RSpec.describe Projects::LicensesController do ...@@ -116,7 +116,7 @@ RSpec.describe Projects::LicensesController do
"id" => nil, "id" => nil,
"spdx_identifier" => "BSD-3-Clause", "spdx_identifier" => "BSD-3-Clause",
"name" => "BSD 3-Clause \"New\" or \"Revised\" License", "name" => "BSD 3-Clause \"New\" or \"Revised\" License",
"url" => "http://spdx.org/licenses/BSD-3-Clause.json", "url" => "https://opensource.org/licenses/BSD-3-Clause",
"classification" => "unclassified" "classification" => "unclassified"
}) })
end end
...@@ -126,7 +126,7 @@ RSpec.describe Projects::LicensesController do ...@@ -126,7 +126,7 @@ RSpec.describe Projects::LicensesController do
"id" => mit_policy.id, "id" => mit_policy.id,
"spdx_identifier" => "MIT", "spdx_identifier" => "MIT",
"name" => mit.name, "name" => mit.name,
"url" => "http://spdx.org/licenses/MIT.json", "url" => "https://opensource.org/licenses/MIT",
"classification" => "denied" "classification" => "denied"
}) })
end end
......
...@@ -114,7 +114,7 @@ FactoryBot.define do ...@@ -114,7 +114,7 @@ FactoryBot.define do
end end
end end
%w[1 1_1 2].each do |version| %w[1 1_1 2 2_1].each do |version|
trait :"license_scan_v#{version}" do trait :"license_scan_v#{version}" do
after :build do |build| after :build do |build|
build.job_artifacts << build(:ee_ci_job_artifact, :license_scan, :"v#{version}", job: build) build.job_artifacts << build(:ee_ci_job_artifact, :license_scan, :"v#{version}", job: build)
......
...@@ -316,7 +316,7 @@ FactoryBot.define do ...@@ -316,7 +316,7 @@ FactoryBot.define do
file_format { :raw } file_format { :raw }
end end
%w[1 1_1 2].each do |version| %w[1 1_1 2 2_1].each do |version|
trait :"v#{version}" do trait :"v#{version}" do
after(:build) do |artifact, _| after(:build) do |artifact, _|
filename = "gl-#{artifact.file_type.dasherize}-report-v#{version.sub(/_/, '.')}.json" filename = "gl-#{artifact.file_type.dasherize}-report-v#{version.sub(/_/, '.')}.json"
......
{
"version": "2.1",
"licenses": [
{
"id": "BSD-3-Clause",
"name": "BSD 3-Clause \"New\" or \"Revised\" License",
"url": "https://opensource.org/licenses/BSD-3-Clause"
},
{
"id": "MIT",
"name": "MIT License",
"url": "https://opensource.org/licenses/MIT"
},
{
"id": "unknown",
"name": "unknown",
"url": ""
}
],
"dependencies": [
{
"name": "a",
"version": "1.0.0",
"package_manager": "bundler",
"path": "Gemfile.lock",
"licenses": ["MIT"]
},
{
"name": "b",
"version": "0.1.0",
"package_manager": "yarn",
"path": "yarn.lock",
"licenses": ["BSD-3-Clause"]
},
{
"name": "c",
"version": "1.1.0",
"package_manager": "bundler",
"path": "Gemfile.lock",
"licenses": ["MIT", "BSD-3-Clause"]
},
{
"name": "d",
"version": "1.1.1",
"package_manager": "bundler",
"path": "Gemfile.lock",
"licenses": ["unknown"]
}
]
}
...@@ -74,10 +74,10 @@ RSpec.describe Gitlab::Ci::Parsers::LicenseCompliance::LicenseScanning do ...@@ -74,10 +74,10 @@ RSpec.describe Gitlab::Ci::Parsers::LicenseCompliance::LicenseScanning do
end end
context 'when parsing a valid v2 report' do context 'when parsing a valid v2 report' do
let(:v2_data) { fixture_file('security_reports/gl-license-scanning-report-v2.json', dir: 'ee') } let(:v2_0_data) { fixture_file('security_reports/gl-license-scanning-report-v2.json', dir: 'ee') }
before do before do
subject.parse!(v2_data, report) subject.parse!(v2_0_data, report)
end end
it { expect(report.version).to eql('2.0') } it { expect(report.version).to eql('2.0') }
...@@ -105,6 +105,44 @@ RSpec.describe Gitlab::Ci::Parsers::LicenseCompliance::LicenseScanning do ...@@ -105,6 +105,44 @@ RSpec.describe Gitlab::Ci::Parsers::LicenseCompliance::LicenseScanning do
it { expect(report.licenses[2].dependencies.map(&:name)).to contain_exactly('d') } it { expect(report.licenses[2].dependencies.map(&:name)).to contain_exactly('d') }
end end
context 'when parsing a valid v2.1 report' do
let(:v2_1_data) { fixture_file('security_reports/gl-license-scanning-report-v2.1.json', dir: 'ee') }
before do
subject.parse!(v2_1_data, report)
end
it { expect(report.version).to eql('2.1') }
it { expect(report.licenses.count).to eq(3) }
it 'parses the BSD license' do
expect(report.licenses[0].id).to eql('BSD-3-Clause')
expect(report.licenses[0].name).to eql('BSD 3-Clause "New" or "Revised" License')
expect(report.licenses[0].url).to eql('https://opensource.org/licenses/BSD-3-Clause')
expect(report.licenses[0].count).to be(2)
expect(report.licenses[0].dependencies.count).to be(2)
expect(report.licenses[0].dependencies.map(&:name)).to contain_exactly('b', 'c')
end
it 'parses the MIT license' do
expect(report.licenses[1].id).to eql('MIT')
expect(report.licenses[1].name).to eql('MIT License')
expect(report.licenses[1].url).to eql('https://opensource.org/licenses/MIT')
expect(report.licenses[1].count).to be(2)
expect(report.licenses[1].dependencies.count).to be(2)
expect(report.licenses[1].dependencies.map(&:name)).to contain_exactly('a', 'c')
end
it 'parses an unknown license' do
expect(report.licenses[2].id).to be_nil
expect(report.licenses[2].name).to eql('unknown')
expect(report.licenses[2].url).to eql('')
expect(report.licenses[2].count).to be(1)
expect(report.licenses[2].dependencies.count).to be(1)
expect(report.licenses[2].dependencies.map(&:name)).to contain_exactly('d')
end
end
context 'when parsing a v2 report with a missing license definition' do context 'when parsing a v2 report with a missing license definition' do
let(:v2_data) do let(:v2_data) do
{ {
......
...@@ -57,7 +57,7 @@ RSpec.describe SCA::LicenseCompliance do ...@@ -57,7 +57,7 @@ RSpec.describe SCA::LicenseCompliance do
context "when the dependency scan produces a poorly formatted report" do context "when the dependency scan produces a poorly formatted report" do
let(:builds) do let(:builds) do
[ [
create(:ee_ci_build, :success, :license_scan_v2), create(:ee_ci_build, :success, :license_scan_v2_1),
create(:ee_ci_build, :success, :corrupted_dependency_scanning_report) create(:ee_ci_build, :success, :corrupted_dependency_scanning_report)
] ]
end end
...@@ -107,6 +107,48 @@ RSpec.describe SCA::LicenseCompliance do ...@@ -107,6 +107,48 @@ RSpec.describe SCA::LicenseCompliance do
end end
end end
context "when a pipeline has successfully produced a v2.1 license scan report" do
let(:builds) { [create(:ee_ci_build, :success, :license_scan_v2_1)] }
let!(:mit_policy) { create(:software_license_policy, :denied, software_license: mit, project: project) }
let!(:other_license_policy) { create(:software_license_policy, :allowed, software_license: other_license, project: project) }
it "includes a policy for each detected license and classified license" do
expect(subject.policies.count).to eq(4)
end
it 'includes a policy for a detected license that is unclassified' do
expect(subject.policies[0].id).to be_nil
expect(subject.policies[0].name).to eq("BSD 3-Clause \"New\" or \"Revised\" License")
expect(subject.policies[0].url).to eq("https://opensource.org/licenses/BSD-3-Clause")
expect(subject.policies[0].classification).to eq("unclassified")
expect(subject.policies[0].spdx_identifier).to eq("BSD-3-Clause")
end
it 'includes a policy for a classified license that was also detected in the scan report' do
expect(subject.policies[1].id).to eq(mit_policy.id)
expect(subject.policies[1].name).to eq(mit.name)
expect(subject.policies[1].url).to eq("https://opensource.org/licenses/MIT")
expect(subject.policies[1].classification).to eq("denied")
expect(subject.policies[1].spdx_identifier).to eq("MIT")
end
it 'includes a policy for a classified license that was not detected in the scan report' do
expect(subject.policies[2].id).to eq(other_license_policy.id)
expect(subject.policies[2].name).to eq(other_license.name)
expect(subject.policies[2].url).to be_blank
expect(subject.policies[2].classification).to eq("allowed")
expect(subject.policies[2].spdx_identifier).to eq(other_license.spdx_identifier)
end
it 'includes a policy for an unclassified and unknown license that was detected in the scan report' do
expect(subject.policies[3].id).to be_nil
expect(subject.policies[3].name).to eq("unknown")
expect(subject.policies[3].url).to be_blank
expect(subject.policies[3].classification).to eq("unclassified")
expect(subject.policies[3].spdx_identifier).to be_nil
end
end
context "when a pipeline has successfully produced a v1.1 license scan report" do context "when a pipeline has successfully produced a v1.1 license scan report" do
let(:builds) { [create(:ee_ci_build, :license_scan_v1_1, :success)] } let(:builds) { [create(:ee_ci_build, :license_scan_v1_1, :success)] }
let!(:mit_policy) { create(:software_license_policy, :denied, software_license: mit, project: project) } let!(:mit_policy) { create(:software_license_policy, :denied, software_license: mit, project: project) }
...@@ -148,7 +190,7 @@ RSpec.describe SCA::LicenseCompliance do ...@@ -148,7 +190,7 @@ RSpec.describe SCA::LicenseCompliance do
end end
describe "#find_policies" do describe "#find_policies" do
let!(:pipeline) { create(:ci_pipeline, :success, project: project, builds: [create(:ee_ci_build, :success, :license_scan_v2)]) } let!(:pipeline) { create(:ci_pipeline, :success, project: project, builds: [create(:ee_ci_build, :success, :license_scan_v2_1)]) }
let!(:mit_policy) { create(:software_license_policy, :denied, software_license: mit, project: project) } let!(:mit_policy) { create(:software_license_policy, :denied, software_license: mit, project: project) }
let!(:other_license_policy) { create(:software_license_policy, :allowed, software_license: other_license, project: project) } let!(:other_license_policy) { create(:software_license_policy, :allowed, software_license: other_license, project: project) }
...@@ -171,7 +213,7 @@ RSpec.describe SCA::LicenseCompliance do ...@@ -171,7 +213,7 @@ RSpec.describe SCA::LicenseCompliance do
results[0], results[0],
id: nil, id: nil,
name: 'BSD 3-Clause "New" or "Revised" License', name: 'BSD 3-Clause "New" or "Revised" License',
url: "http://spdx.org/licenses/BSD-3-Clause.json", url: "https://opensource.org/licenses/BSD-3-Clause",
classification: "unclassified", classification: "unclassified",
spdx_identifier: "BSD-3-Clause" spdx_identifier: "BSD-3-Clause"
) )
...@@ -182,7 +224,7 @@ RSpec.describe SCA::LicenseCompliance do ...@@ -182,7 +224,7 @@ RSpec.describe SCA::LicenseCompliance do
results[1], results[1],
id: mit_policy.id, id: mit_policy.id,
name: mit.name, name: mit.name,
url: "http://spdx.org/licenses/MIT.json", url: "https://opensource.org/licenses/MIT",
classification: "denied", classification: "denied",
spdx_identifier: "MIT" spdx_identifier: "MIT"
) )
...@@ -225,7 +267,7 @@ RSpec.describe SCA::LicenseCompliance do ...@@ -225,7 +267,7 @@ RSpec.describe SCA::LicenseCompliance do
results[0], results[0],
id: mit_policy.id, id: mit_policy.id,
name: mit_policy.software_license.name, name: mit_policy.software_license.name,
url: 'http://spdx.org/licenses/MIT.json', url: 'https://opensource.org/licenses/MIT',
classification: "denied", classification: "denied",
spdx_identifier: mit_policy.software_license.spdx_identifier spdx_identifier: mit_policy.software_license.spdx_identifier
) )
...@@ -249,7 +291,7 @@ RSpec.describe SCA::LicenseCompliance do ...@@ -249,7 +291,7 @@ RSpec.describe SCA::LicenseCompliance do
results[0], results[0],
id: mit_policy.id, id: mit_policy.id,
name: mit_policy.software_license.name, name: mit_policy.software_license.name,
url: 'http://spdx.org/licenses/MIT.json', url: 'https://opensource.org/licenses/MIT',
classification: "denied", classification: "denied",
spdx_identifier: mit_policy.software_license.spdx_identifier spdx_identifier: mit_policy.software_license.spdx_identifier
) )
...@@ -292,7 +334,7 @@ RSpec.describe SCA::LicenseCompliance do ...@@ -292,7 +334,7 @@ RSpec.describe SCA::LicenseCompliance do
describe "#latest_build_for_default_branch" do describe "#latest_build_for_default_branch" do
let(:regular_build) { create(:ci_build, :success) } let(:regular_build) { create(:ci_build, :success) }
let(:license_scan_build) { create(:ee_ci_build, :license_scan_v2, :success) } let(:license_scan_build) { create(:ee_ci_build, :license_scan_v2_1, :success) }
context "when a pipeline has never been completed for the project" do context "when a pipeline has never been completed for the project" do
it { expect(subject.latest_build_for_default_branch).to be_nil } it { expect(subject.latest_build_for_default_branch).to be_nil }
......
...@@ -19,6 +19,7 @@ license_scanning: ...@@ -19,6 +19,7 @@ license_scanning:
entrypoint: [""] entrypoint: [""]
variables: variables:
LM_REPORT_FILE: gl-license-scanning-report.json LM_REPORT_FILE: gl-license-scanning-report.json
LM_REPORT_VERSION: '2.1'
SETUP_CMD: $LICENSE_MANAGEMENT_SETUP_CMD SETUP_CMD: $LICENSE_MANAGEMENT_SETUP_CMD
allow_failure: true allow_failure: true
script: script:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment