1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
---
type: reference, howto
stage: Secure
group: Composition Analysis
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
---
# License scanning of CycloneDX files **(ULTIMATE)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/384932) in GitLab 15.9 [with two flags](../../../administration/feature_flags.md) named `license_scanning_sbom_scanner` and `package_metadata_synchronization`. Both flags are disabled by default and both flags must be enabled for this feature to work.
FLAG:
On self-managed GitLab, this feature is not available.
To detect the licenses in use, License Compliance relies on running the
[Dependency Scanning CI Jobs](../../application_security/dependency_scanning/index.md),
and analyzing the [CycloneDX](https://cyclonedx.org/) Software Bill of Materials (SBOM) generated by those jobs.
Other 3rd party scanners may also be used as long as they produce a CycloneDX file with a list of dependencies for [one of our supported languages](#supported-languages-and-package-managers).
This method of scanning is also capable of parsing and identifying over 500 different types of licenses
and can extract license information from packages that are dual-licensed or have multiple different licenses that apply.
To enable license detection using Dependency Scanning in a project,
include the `Jobs/Dependency-Scanning.yml` template in its CI configuration,
but do not include the `Jobs/License-Scanning.yml` template.
## Requirements
The license scanning requirements are the same as those for [Dependency Scanning](../../application_security/dependency_scanning/index.md#requirements).
## Supported languages and package managers
License scanning is supported for the following languages and package managers:
<!-- markdownlint-disable MD044 -->
<table class="supported-languages">
<thead>
<tr>
<th>Language</th>
<th>Package Manager</th>
</tr>
</thead>
<tbody>
<tr>
<td>.NET</td>
<td rowspan="2"><a href="https://www.nuget.org/">NuGet</a></td>
</tr>
<tr>
<td>C#</td>
</tr>
<tr>
<td>C</td>
<td rowspan="2"><a href="https://conan.io/">Conan</a></td>
</tr>
<tr>
<td>C++</td>
</tr>
<tr>
<td>Go</td>
<td><a href="https://go.dev/">Go</a></td>
</tr>
<tr>
<td rowspan="2">Java</td>
<td><a href="https://gradle.org/">Gradle</a></td>
</tr>
<tr>
<td><a href="https://maven.apache.org/">Maven</a></td>
</tr>
<tr>
<td rowspan="2">JavaScript and TypeScript</td>
<td><a href="https://www.npmjs.com/">npm</a></td>
</tr>
<tr>
<td><a href="https://classic.yarnpkg.com/en/">yarn</a></td>
</tr>
<tr>
<td>PHP</td>
<td><a href="https://getcomposer.org/">Composer</a></td>
</tr>
<tr>
<td rowspan="4">Python</td>
<td><a href="https://setuptools.readthedocs.io/en/latest/">setuptools</a></td>
</tr>
<tr>
<td><a href="https://pip.pypa.io/en/stable/">pip</a></td>
</tr>
<tr>
<td><a href="https://pipenv.pypa.io/en/latest/">Pipenv</a></td>
</tr>
<tr>
<td><a href="https://python-poetry.org/">Poetry</a></td>
</tr>
<tr>
<td>Ruby</td>
<td><a href="https://bundler.io/">Bundler</a></td>
</tr>
<tr>
<td>Scala</td>
<td><a href="https://www.scala-sbt.org/">sbt</a></td>
</tr>
</tbody>
</table>
<!-- markdownlint-disable MD044 -->
The supported files and versions are the ones supported by
[Dependency Scanning](../../application_security/dependency_scanning/index.md#supported-languages-and-package-managers).
## Configuration
To enable license scanning of CycloneDX files,
you must configure [Dependency Scanning](../../application_security/dependency_scanning/index.md#configuration).
## License expressions
GitLab has limited support for [composite licenses](https://spdx.github.io/spdx-spec/v2-draft/SPDX-license-expressions/).
License compliance can read multiple licenses, but always considers them combined using the `AND` operator. For example,
if a dependency has two licenses, and one of them is allowed and the other is denied by the project [policy](../license_approval_policies.md),
GitLab evaluates the composite license as _denied_, as this is the safer option.
The ability to support other license expression operators (like `OR`, `WITH`) is tracked
in [this epic](https://gitlab.com/groups/gitlab-org/-/epics/6571).
## Blocking merge requests based on detected licenses
Users can require approval for merge requests based on the licenses that are detected by configuring a [license approval policy](../license_approval_policies.md).
|