diff options
Diffstat (limited to 'doc/user/compliance/license_compliance/index.md')
-rw-r--r-- | doc/user/compliance/license_compliance/index.md | 103 |
1 files changed, 50 insertions, 53 deletions
diff --git a/doc/user/compliance/license_compliance/index.md b/doc/user/compliance/license_compliance/index.md index 65c009f947f..f78b6115623 100644 --- a/doc/user/compliance/license_compliance/index.md +++ b/doc/user/compliance/license_compliance/index.md @@ -2,7 +2,7 @@ type: reference, howto stage: Secure group: Composition Analysis -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments --- # License Compliance **(ULTIMATE)** @@ -19,21 +19,21 @@ in your existing `.gitlab-ci.yml` file or by implicitly using [Auto License Compliance](../../../topics/autodevops/stages.md#auto-license-compliance) that is provided by [Auto DevOps](../../../topics/autodevops/index.md). -GitLab checks the License Compliance report, compares the licenses between the -source and target branches, and shows the information right on the merge request. -Denied licenses will be clearly visible with an `x` red icon next to them -as well as new licenses which need a decision from you. In addition, you can -[manually allow or deny](#policies) -licenses in your project's license compliance policy section. If GitLab detects a denied license -in a new commit, GitLab blocks any merge requests containing that commit and instructs the developer -to remove the license. +The [License Finder](https://github.com/pivotal/LicenseFinder) scan tool runs as part of the CI/CD +pipeline, and detects the licenses in use. GitLab checks the License Compliance report, compares the +licenses between the source and target branches, and shows the information right on the merge +request. Denied licenses are indicated by a `x` red icon next to them as well as new licenses that +need a decision from you. In addition, you can [manually allow or deny](#policies) licenses in your +project's license compliance policy section. If a denied license is detected in a new commit, +GitLab blocks any merge requests containing that commit and instructs the developer to remove the +license. -NOTE: **Note:** +NOTE: If the license compliance report doesn't have anything to compare to, no information -will be displayed in the merge request area. That is the case when you add the +is displayed in the merge request area. That is the case when you add the `license_scanning` job in your `.gitlab-ci.yml` for the first time. -Consecutive merge requests will have something to compare to and the license -compliance report will be shown properly. +Consecutive merge requests have something to compare to and the license +compliance report is shown properly. ![License Compliance Widget](img/license_compliance_v13_0.png) @@ -51,36 +51,33 @@ You can view and modify existing policies from the [policies](#policies) tab. The following languages and package managers are supported. -| Language | Package managers | Notes | Scan Tool | -|------------|------------------|-------|-----------| -| JavaScript | [Bower](https://bower.io/), [npm](https://www.npmjs.com/) | | [License Finder](https://github.com/pivotal/LicenseFinder) | -| Go | [Godep](https://github.com/tools/godep), [go mod](https://github.com/golang/go/wiki/Modules) | | [License Finder](https://github.com/pivotal/LicenseFinder) | -| Java | [Gradle](https://gradle.org/), [Maven](https://maven.apache.org/) | | [License Finder](https://github.com/pivotal/LicenseFinder) | -| .NET | [Nuget](https://www.nuget.org/) | The .NET Framework is supported via the [mono project](https://www.mono-project.com/). There are, however, some limitations. The scanner doesn't support Windows-specific dependencies and doesn't report dependencies of your project's listed dependencies. Also, the scanner always marks detected licenses for all dependencies as `unknown`. | [License Finder](https://github.com/pivotal/LicenseFinder) | -| Python | [pip](https://pip.pypa.io/en/stable/) | Python is supported through [requirements.txt](https://pip.pypa.io/en/stable/user_guide/#requirements-files) and [Pipfile.lock](https://github.com/pypa/pipfile#pipfilelock). | [License Finder](https://github.com/pivotal/LicenseFinder) | -| Ruby | [gem](https://rubygems.org/) | | [License Finder](https://github.com/pivotal/LicenseFinder)| +Java 8 and Gradle 1.x projects are not supported. The minimum supported version of Maven is 3.2.5. -NOTE: **Note:** -Java 8 and Gradle 1.x projects are not supported. -The minimum supported version of Maven is 3.2.5. +| Language | Package managers | Notes | +|------------|----------------------------------------------------------------------------------------------|-------| +| JavaScript | [Bower](https://bower.io/), [npm](https://www.npmjs.com/) | | +| Go | [Godep](https://github.com/tools/godep), [go mod](https://github.com/golang/go/wiki/Modules) | | +| Java | [Gradle](https://gradle.org/), [Maven](https://maven.apache.org/) | | +| .NET | [Nuget](https://www.nuget.org/) | The .NET Framework is supported via the [mono project](https://www.mono-project.com/). There are, however, some limitations. The scanner doesn't support Windows-specific dependencies and doesn't report dependencies of your project's listed dependencies. Also, the scanner always marks detected licenses for all dependencies as `unknown`. | +| Python | [pip](https://pip.pypa.io/en/stable/) | Python is supported through [requirements.txt](https://pip.pypa.io/en/stable/user_guide/#requirements-files) and [Pipfile.lock](https://github.com/pypa/pipfile#pipfilelock). | +| Ruby | [gem](https://rubygems.org/) | | ### Experimental support -The following languages and package managers are [supported experimentally](https://github.com/pivotal/LicenseFinder#experimental-project-types), -which means that the reported licenses might be incomplete or inaccurate. - -| Language | Package managers | Scan Tool | -|------------|-------------------------------------------------------------------|----------------------------------------------------------| -| JavaScript | [Yarn](https://yarnpkg.com/)|[License Finder](https://github.com/pivotal/LicenseFinder)| -| Go | go get, gvt, glide, dep, trash, govendor |[License Finder](https://github.com/pivotal/LicenseFinder)| -| Erlang | [Rebar](https://www.rebar3.org/) |[License Finder](https://github.com/pivotal/LicenseFinder)| -| Objective-C, Swift | [Carthage](https://github.com/Carthage/Carthage) | | [License Finder](https://github.com/pivotal/LicenseFinder) | -| Objective-C, Swift | [CocoaPods](https://cocoapods.org/) v0.39 and below |[License Finder](https://github.com/pivotal/LicenseFinder)| -| Elixir | [Mix](https://elixir-lang.org/getting-started/mix-otp/introduction-to-mix.html) |[License Finder](https://github.com/pivotal/LicenseFinder)| -| C++/C | [Conan](https://conan.io/) |[License Finder](https://github.com/pivotal/LicenseFinder)| -| Scala | [sbt](https://www.scala-sbt.org/) |[License Finder](https://github.com/pivotal/LicenseFinder)| -| Rust | [Cargo](https://crates.io) |[License Finder](https://github.com/pivotal/LicenseFinder)| -| PHP | [Composer](https://getcomposer.org/) |[License Finder](https://github.com/pivotal/LicenseFinder)| +The following languages and package managers are [supported experimentally](https://github.com/pivotal/LicenseFinder#experimental-project-types). +The reported licenses might be incomplete or inaccurate. + +| Language | Package managers | +|------------|---------------------------------------------------------------------------------------------------------------| +| JavaScript | [Yarn](https://yarnpkg.com/) | +| Go | go get, gvt, glide, dep, trash, govendor | +| Erlang | [Rebar](https://www.rebar3.org/) | +| Objective-C, Swift | [Carthage](https://github.com/Carthage/Carthage), [CocoaPods](https://cocoapods.org/) v0.39 and below | +| Elixir | [Mix](https://elixir-lang.org/getting-started/mix-otp/introduction-to-mix.html) | +| C++/C | [Conan](https://conan.io/) | +| Scala | [sbt](https://www.scala-sbt.org/) | +| Rust | [Cargo](https://crates.io) | +| PHP | [Composer](https://getcomposer.org/) | ## Requirements @@ -109,12 +106,12 @@ include: The included template creates a `license_scanning` job in your CI/CD pipeline and scans your dependencies to find their licenses. -NOTE: **Note:** +NOTE: Before GitLab 12.8, the `license_scanning` job was named `license_management`. GitLab 13.0 removes the `license_management` job, so you must migrate to the `license_scanning` job and use the new `License-Scanning.gitlab-ci.yml` template. -The results will be saved as a +The results are saved as a [License Compliance report artifact](../../../ci/pipelines/job_artifacts.md#artifactsreportslicense_scanning) that you can later download and analyze. Due to implementation limitations, we always take the latest License Compliance artifact available. Behind the scenes, the @@ -160,7 +157,7 @@ in the project automated setup, like the download and installation of a certific For that, a `LICENSE_MANAGEMENT_SETUP_CMD` environment variable can be passed to the container, with the required commands to run before the license detection. -If present, this variable will override the setup step necessary to install all the packages +If present, this variable overrides the setup step necessary to install all the packages of your application (e.g.: for a project with a `Gemfile`, the setup step could be `bundle install`). @@ -179,7 +176,7 @@ directory of your project. ### Overriding the template -CAUTION: **Deprecation:** +WARNING: Beginning in GitLab 13.0, the use of [`only` and `except`](../../../ci/yaml/README.md#onlyexcept-basic) is no longer supported. When overriding the template, you must use [`rules`](../../../ci/yaml/README.md#rules) instead. @@ -274,13 +271,13 @@ to specify its location. ### Configuring NPM projects -You can configure NPM projects by using an [`.npmrc`](https://docs.npmjs.com/configuring-npm/npmrc.html) +You can configure NPM projects by using an [`.npmrc`](https://docs.npmjs.com/configuring-npm/npmrc.html/) file. #### Using private NPM registries If you have a private NPM registry you can use the -[`registry`](https://docs.npmjs.com/using-npm/config#registry) +[`registry`](https://docs.npmjs.com/using-npm/config/#registry) setting to specify its location. For example: @@ -294,7 +291,7 @@ registry = https://npm.example.com You can supply a custom root certificate to complete TLS verification by using the `ADDITIONAL_CA_CERT_BUNDLE` [environment variable](#available-variables). -To disable TLS verification you can provide the [`strict-ssl`](https://docs.npmjs.com/using-npm/config#strict-ssl) +To disable TLS verification you can provide the [`strict-ssl`](https://docs.npmjs.com/using-npm/config/#strict-ssl) setting. For example: @@ -454,7 +451,7 @@ if a GitLab remote is specified in the `.conan/remotes.json` file. To override the default credentials specify a [`CONAN_LOGIN_USERNAME_{REMOTE_NAME}`](https://docs.conan.io/en/latest/reference/env_vars.html#conan-login-username-conan-login-username-remote-name) matching the name of the remote specified in the `.conan/remotes.json` file. -NOTE: **Note:** +NOTE: [MSBuild](https://github.com/mono/msbuild#microsoftbuild-msbuild) projects aren't supported. The `license_scanning` image ships with [Mono](https://www.mono-project.com/) and [MSBuild](https://github.com/mono/msbuild#microsoftbuild-msbuild). Additional setup may be required to build packages for this project configuration. @@ -616,7 +613,7 @@ To use License Compliance in an offline environment, you need: - GitLab Runner with the [`docker` or `kubernetes` executor](#requirements). - Docker Container Registry with locally available copies of License Compliance [analyzer](https://gitlab.com/gitlab-org/security-products/analyzers) images. -NOTE: **Note:** +NOTE: GitLab Runner has a [default `pull policy` of `always`](https://docs.gitlab.com/runner/executors/docker.html#using-the-always-pull-policy), meaning the runner tries to pull Docker images from the GitLab container registry even if a local copy is available. The GitLab Runner [`pull_policy` can be set to `if-not-present`](https://docs.gitlab.com/runner/executors/docker.html#using-the-if-not-present-pull-policy) @@ -695,7 +692,7 @@ requirements must be met: [supported languages and package managers](#supported-languages-and-package-managers). Once everything is set, navigate to **Security & Compliance > License Compliance** -in your project's sidebar, and you'll see the licenses displayed, where: +in your project's sidebar, and the licenses are displayed, where: - **Name:** The name of the license. - **Component:** The components which have this license. @@ -708,8 +705,8 @@ in your project's sidebar, and you'll see the licenses displayed, where: > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/22465) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 12.9. Policies allow you to specify licenses that are `allowed` or `denied` in a project. If a `denied` -license is newly committed it will disallow a merge request and instruct the developer to remove it. -Note, the merge request will not be able to be merged until the `denied` license is removed. +license is newly committed it blocks the merge request and instructs the developer to remove it. +Note, the merge request is not able to be merged until the `denied` license is removed. You may add a [`License-Check` approval rule](#enabling-license-approvals-within-a-project), which enables a designated approver that can approve and then merge a merge request with `denied` license. @@ -771,7 +768,7 @@ specify the desired version by adding a or using the appropriate [`ASDF_<tool>_VERSION`](https://asdf-vm.com/#/core-configuration?id=environment-variables) environment variable to activate the appropriate version. -For example, the following `.tool-versions` file will activate version `12.16.3` of [Node.js](https://nodejs.org/) +For example, the following `.tool-versions` file activates version `12.16.3` of [Node.js](https://nodejs.org/) and version `2.7.2` of [Ruby](https://www.ruby-lang.org/). ```plaintext @@ -828,5 +825,5 @@ $ docker run -it --entrypoint='' registry.gitlab.com/gitlab-org/security-product root@6abb70e9f193:~# ``` -NOTE: **Note:** +NOTE: Selecting a custom version of [Mono](https://www.mono-project.com/) or [.NET Core](https://dotnet.microsoft.com/download/dotnet-core) is currently not supported. |