diff options
Diffstat (limited to 'doc/user/compliance/license_scanning_of_cyclonedx_files/index.md')
-rw-r--r-- | doc/user/compliance/license_scanning_of_cyclonedx_files/index.md | 123 |
1 files changed, 123 insertions, 0 deletions
diff --git a/doc/user/compliance/license_scanning_of_cyclonedx_files/index.md b/doc/user/compliance/license_scanning_of_cyclonedx_files/index.md new file mode 100644 index 00000000000..483c15d648c --- /dev/null +++ b/doc/user/compliance/license_scanning_of_cyclonedx_files/index.md @@ -0,0 +1,123 @@ +--- +type: reference, howto +stage: Secure +group: Composition Analysis +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +--- + +# License scanning of CycloneDX files **(ULTIMATE)** + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/384932) in GitLab 15.9 [with two flags](../../../administration/feature_flags.md) named `license_scanning_sbom_scanner` and `package_metadata_synchronization`. Both flags are disabled by default and both flags must be enabled for this feature to work. + +FLAG: +On self-managed GitLab, this feature is not available. + +To detect the licenses in use, License Compliance relies on running the +[Dependency Scanning CI Jobs](../../application_security/dependency_scanning/index.md), +and analyzing the [CycloneDX](https://cyclonedx.org/) Software Bill of Materials (SBOM) generated by those jobs. +Other 3rd party scanners may also be used as long as they produce a CycloneDX file with a list of dependencies for [one of our supported languages](#supported-languages-and-package-managers). +This method of scanning is also capable of parsing and identifying over 500 different types of licenses +and can extract license information from packages that are dual-licensed or have multiple different licenses that apply. + +To enable license detection using Dependency Scanning in a project, +include the `Jobs/Dependency-Scanning.yml` template in its CI configuration, +but do not include the `Jobs/License-Scanning.yml` template. + +## Requirements + +The license scanning requirements are the same as those for [Dependency Scanning](../../application_security/dependency_scanning/index.md#requirements). + +## Supported languages and package managers + +License scanning is supported for the following languages and package managers: + +<!-- markdownlint-disable MD044 --> +<table class="supported-languages"> + <thead> + <tr> + <th>Language</th> + <th>Package Manager</th> + </tr> + </thead> + <tbody> + <tr> + <td>.NET</td> + <td rowspan="2"><a href="https://www.nuget.org/">NuGet</a></td> + </tr> + <tr> + <td>C#</td> + </tr> + <tr> + <td>C</td> + <td rowspan="2"><a href="https://conan.io/">Conan</a></td> + </tr> + <tr> + <td>C++</td> + </tr> + <tr> + <td>Go</td> + <td><a href="https://go.dev/">Go</a></td> + </tr> + <tr> + <td rowspan="2">Java</td> + <td><a href="https://gradle.org/">Gradle</a></td> + </tr> + <tr> + <td><a href="https://maven.apache.org/">Maven</a></td> + </tr> + <tr> + <td rowspan="2">JavaScript and TypeScript</td> + <td><a href="https://www.npmjs.com/">npm</a></td> + </tr> + <tr> + <td><a href="https://classic.yarnpkg.com/en/">yarn</a></td> + </tr> + <tr> + <td>PHP</td> + <td><a href="https://getcomposer.org/">Composer</a></td> + </tr> + <tr> + <td rowspan="4">Python</td> + <td><a href="https://setuptools.readthedocs.io/en/latest/">setuptools</a></td> + </tr> + <tr> + <td><a href="https://pip.pypa.io/en/stable/">pip</a></td> + </tr> + <tr> + <td><a href="https://pipenv.pypa.io/en/latest/">Pipenv</a></td> + </tr> + <tr> + <td><a href="https://python-poetry.org/">Poetry</a></td> + </tr> + <tr> + <td>Ruby</td> + <td><a href="https://bundler.io/">Bundler</a></td> + </tr> + <tr> + <td>Scala</td> + <td><a href="https://www.scala-sbt.org/">sbt</a></td> + </tr> + </tbody> +</table> +<!-- markdownlint-disable MD044 --> + +The supported files and versions are the ones supported by +[Dependency Scanning](../../application_security/dependency_scanning/index.md#supported-languages-and-package-managers). + +## Configuration + +To enable license scanning of CycloneDX files, +you must configure [Dependency Scanning](../../application_security/dependency_scanning/index.md#configuration). + +## License expressions + +GitLab has limited support for [composite licenses](https://spdx.github.io/spdx-spec/v2-draft/SPDX-license-expressions/). +License compliance can read multiple licenses, but always considers them combined using the `AND` operator. For example, +if a dependency has two licenses, and one of them is allowed and the other is denied by the project [policy](../license_approval_policies.md), +GitLab evaluates the composite license as _denied_, as this is the safer option. +The ability to support other license expression operators (like `OR`, `WITH`) is tracked +in [this epic](https://gitlab.com/groups/gitlab-org/-/epics/6571). + +## Blocking merge requests based on detected licenses + +Users can require approval for merge requests based on the licenses that are detected by configuring a [license approval policy](../license_approval_policies.md). |