License scanning of CycloneDX files (ULTIMATE)
Introduced in GitLab 15.9 with two flags named
license_scanning_sbom_scannerandpackage_metadata_synchronization. Both flags are disabled by default and both flags must be enabled for this feature to work.
FLAG: On self-managed GitLab, this feature is not available.
To detect the licenses in use, License Compliance relies on running the Dependency Scanning CI Jobs, and analyzing the CycloneDX Software Bill of Materials (SBOM) generated by those jobs. Other 3rd party scanners may also be used as long as they produce a CycloneDX file with a list of dependencies for one of our supported languages. This method of scanning is also capable of parsing and identifying over 500 different types of licenses and can extract license information from packages that are dual-licensed or have multiple different licenses that apply.
To enable license detection using Dependency Scanning in a project,
include the Jobs/Dependency-Scanning.yml template in its CI configuration,
but do not include the Jobs/License-Scanning.yml template.
Requirements
The license scanning requirements are the same as those for Dependency Scanning.
Supported languages and package managers
License scanning is supported for the following languages and package managers:
| Language | Package Manager |
|---|---|
| .NET | NuGet |
| C# | |
| C | Conan |
| C++ | |
| Go | Go |
| Java | Gradle |
| Maven | |
| JavaScript and TypeScript | npm |
| yarn | |
| PHP | Composer |
| Python | setuptools |
| pip | |
| Pipenv | |
| Poetry | |
| Ruby | Bundler |
| Scala | sbt |
The supported files and versions are the ones supported by Dependency Scanning.
Configuration
To enable license scanning of CycloneDX files, you must configure Dependency Scanning.
License expressions
GitLab has limited support for composite licenses.
License compliance can read multiple licenses, but always considers them combined using the AND operator. For example,
if a dependency has two licenses, and one of them is allowed and the other is denied by the project policy,
GitLab evaluates the composite license as denied, as this is the safer option.
The ability to support other license expression operators (like OR, WITH) is tracked
in this epic.
Blocking merge requests based on detected licenses
Users can require approval for merge requests based on the licenses that are detected by configuring a license approval policy.