summaryrefslogtreecommitdiff
path: root/doc/user/compliance/license_scanning_of_cyclonedx_files/index.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/user/compliance/license_scanning_of_cyclonedx_files/index.md')
-rw-r--r--doc/user/compliance/license_scanning_of_cyclonedx_files/index.md123
1 files changed, 123 insertions, 0 deletions
diff --git a/doc/user/compliance/license_scanning_of_cyclonedx_files/index.md b/doc/user/compliance/license_scanning_of_cyclonedx_files/index.md
new file mode 100644
index 00000000000..483c15d648c
--- /dev/null
+++ b/doc/user/compliance/license_scanning_of_cyclonedx_files/index.md
@@ -0,0 +1,123 @@
+---
+type: reference, howto
+stage: Secure
+group: Composition Analysis
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
+---
+
+# License scanning of CycloneDX files **(ULTIMATE)**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/384932) in GitLab 15.9 [with two flags](../../../administration/feature_flags.md) named `license_scanning_sbom_scanner` and `package_metadata_synchronization`. Both flags are disabled by default and both flags must be enabled for this feature to work.
+
+FLAG:
+On self-managed GitLab, this feature is not available.
+
+To detect the licenses in use, License Compliance relies on running the
+[Dependency Scanning CI Jobs](../../application_security/dependency_scanning/index.md),
+and analyzing the [CycloneDX](https://cyclonedx.org/) Software Bill of Materials (SBOM) generated by those jobs.
+Other 3rd party scanners may also be used as long as they produce a CycloneDX file with a list of dependencies for [one of our supported languages](#supported-languages-and-package-managers).
+This method of scanning is also capable of parsing and identifying over 500 different types of licenses
+and can extract license information from packages that are dual-licensed or have multiple different licenses that apply.
+
+To enable license detection using Dependency Scanning in a project,
+include the `Jobs/Dependency-Scanning.yml` template in its CI configuration,
+but do not include the `Jobs/License-Scanning.yml` template.
+
+## Requirements
+
+The license scanning requirements are the same as those for [Dependency Scanning](../../application_security/dependency_scanning/index.md#requirements).
+
+## Supported languages and package managers
+
+License scanning is supported for the following languages and package managers:
+
+<!-- markdownlint-disable MD044 -->
+<table class="supported-languages">
+ <thead>
+ <tr>
+ <th>Language</th>
+ <th>Package Manager</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>.NET</td>
+ <td rowspan="2"><a href="https://www.nuget.org/">NuGet</a></td>
+ </tr>
+ <tr>
+ <td>C#</td>
+ </tr>
+ <tr>
+ <td>C</td>
+ <td rowspan="2"><a href="https://conan.io/">Conan</a></td>
+ </tr>
+ <tr>
+ <td>C++</td>
+ </tr>
+ <tr>
+ <td>Go</td>
+ <td><a href="https://go.dev/">Go</a></td>
+ </tr>
+ <tr>
+ <td rowspan="2">Java</td>
+ <td><a href="https://gradle.org/">Gradle</a></td>
+ </tr>
+ <tr>
+ <td><a href="https://maven.apache.org/">Maven</a></td>
+ </tr>
+ <tr>
+ <td rowspan="2">JavaScript and TypeScript</td>
+ <td><a href="https://www.npmjs.com/">npm</a></td>
+ </tr>
+ <tr>
+ <td><a href="https://classic.yarnpkg.com/en/">yarn</a></td>
+ </tr>
+ <tr>
+ <td>PHP</td>
+ <td><a href="https://getcomposer.org/">Composer</a></td>
+ </tr>
+ <tr>
+ <td rowspan="4">Python</td>
+ <td><a href="https://setuptools.readthedocs.io/en/latest/">setuptools</a></td>
+ </tr>
+ <tr>
+ <td><a href="https://pip.pypa.io/en/stable/">pip</a></td>
+ </tr>
+ <tr>
+ <td><a href="https://pipenv.pypa.io/en/latest/">Pipenv</a></td>
+ </tr>
+ <tr>
+ <td><a href="https://python-poetry.org/">Poetry</a></td>
+ </tr>
+ <tr>
+ <td>Ruby</td>
+ <td><a href="https://bundler.io/">Bundler</a></td>
+ </tr>
+ <tr>
+ <td>Scala</td>
+ <td><a href="https://www.scala-sbt.org/">sbt</a></td>
+ </tr>
+ </tbody>
+</table>
+<!-- markdownlint-disable MD044 -->
+
+The supported files and versions are the ones supported by
+[Dependency Scanning](../../application_security/dependency_scanning/index.md#supported-languages-and-package-managers).
+
+## Configuration
+
+To enable license scanning of CycloneDX files,
+you must configure [Dependency Scanning](../../application_security/dependency_scanning/index.md#configuration).
+
+## License expressions
+
+GitLab has limited support for [composite licenses](https://spdx.github.io/spdx-spec/v2-draft/SPDX-license-expressions/).
+License compliance can read multiple licenses, but always considers them combined using the `AND` operator. For example,
+if a dependency has two licenses, and one of them is allowed and the other is denied by the project [policy](../license_approval_policies.md),
+GitLab evaluates the composite license as _denied_, as this is the safer option.
+The ability to support other license expression operators (like `OR`, `WITH`) is tracked
+in [this epic](https://gitlab.com/groups/gitlab-org/-/epics/6571).
+
+## Blocking merge requests based on detected licenses
+
+Users can require approval for merge requests based on the licenses that are detected by configuring a [license approval policy](../license_approval_policies.md).
View Lorry Controller Status