License scanning of CycloneDX files
DETAILS: Tier: Ultimate Offering: SaaS, self-managed
The legacy License Compliance analyzer was deprecated in GitLab 15.9 and removed in GitLab 16.3.
To continue using GitLab for License Compliance, remove the License Compliance template from your
CI/CD pipeline and add the Dependency Scanning template.
The Dependency Scanning template is now capable of gathering the required license information so it
is no longer necessary to run a separate License Compliance job. The License Compliance CI/CD
template should not be removed prior to verifying that the instance has been upgraded to a version
that supports the new method of license scanning. To begin using the Dependency Scanner quickly at
scale, you may set up a scan execution policy
at the group level to enforce the SBOM-based license scan for all projects in the group.
Then, you may remove the inclusion of the
Jobs/License-Scanning.gitlab-ci.yml template from your
CI/CD configuration. If you wish to continue using the legacy License Compliance feature, you can do
so by setting the
LICENSE_MANAGEMENT_VERSION CI variable to
4. This variable can be set at the
or instance level.
To detect the licenses in use, License Compliance relies on running the Dependency Scanning CI Jobs, and analyzing the CycloneDX Software Bill of Materials (SBOM) generated by those jobs. This method of scanning is capable of parsing and identifying over 500 different types of licenses, as defined in the SPDX list. Third-party scanners may be used to generate the list of dependencies, as long as they produce a CycloneDX report artifact for one of our supported languages and follow the GitLab CycloneDX property taxonomy. Note that it is not yet possible to use a CI report artifact as a source of data for license information, and licenses that are not in the SPDX list are reported as "Unknown". The ability to provide other licenses is tracked in epic 10861.
NOTE: The License Scanning feature relies on publicly available package metadata collected in an external database and synced with the GitLab instance automatically. This database is a multi-region Google Cloud Storage bucket hosted in the United States. The scan is executed exclusively within the GitLab instance. No contextual information (for example, a list of project dependencies) is sent to the external service.
To enable License scanning of CycloneDX files:
- Enable Dependency Scanning and ensure that its prerequisites are met.
- On GitLab self-managed only, you can choose package registry metadata to synchronize in the Admin Area for the GitLab instance. For this data synchronization to work, you must allow outbound network traffic from your GitLab instance to the domain
storage.googleapis.com. If you have limited or no network connectivity then refer to the documentation section running in an offline environment for further guidance.
Supported languages and package managers
License scanning is supported for the following languages and package managers:
The supported files and versions are the ones supported by Dependency Scanning.
Blocking merge requests based on detected licenses
Users can require approval for merge requests based on the licenses that are detected by configuring a license approval policy.
Running in an offline environment
For self-managed GitLab instances in an environment with limited, restricted, or intermittent access to external resources through the internet, some adjustments are required to successfully scan CycloneDX reports for licenses. For more information, see the offline quick start guide.
A CycloneDX file is not being scanned and appears to provide no results
Ensure that the CycloneDX file adheres to the CycloneDX JSON specification. This specification does not permit duplicate entries. Projects that contain multiple SBOM files should either report each SBOM file up as individual CI report artifacts or they should ensure that duplicates are removed if the SBOMs are merged as part of the CI pipeline.
You can validate CycloneDX SBOM files against the
CycloneDX JSON specification as follows:
$ docker run -it --rm -v "$PWD:/my-cyclonedx-sboms" -w /my-cyclonedx-sboms cyclonedx/cyclonedx-cli:latest cyclonedx validate --input-version v1_4 --input-file gl-sbom-all.cdx.json
Validating JSON BOM...
BOM validated successfully.
If the JSON BOM fails validation, for example, because there are duplicate components:
Validation failed: Found duplicates at the following index pairs: "(A, B), (C, D)"
This issue can be fixed by updating the CI template to use jq to remove the duplicate components from the
gl-sbom-*.cdx.json report by overriding the job definition that produces the duplicate components. For example, the following removes duplicate components from the
gl-sbom-gem-bundler.cdx.json report file produced by the
- template: Jobs/Dependency-Scanning.gitlab-ci.yml
- apk update && apk add jq
- jq '.components |= unique' gl-sbom-gem-bundler.cdx.json > tmp.json && mv tmp.json gl-sbom-gem-bundler.cdx.json
Remove unused license data
License scanning changes (released in GitLab 15.9) required a significant amount of additional disk space to be available on the instances. This issue was resolved in GitLab 16.3 by the Reduce package metadata table on-disk footprint epic. But if your instance was running license scanning between GitLab 15.9 and 16.3, you may want to remove the unneeded data.
To remove the unneeded data:
Feature.enabled?(:package_metadata_synchronization) && Feature.disable(:package_metadata_synchronization)
Check if there is deprecated data in the database:
If there is deprecated data in the database, remove it by running the following commands in order:
ActiveRecord::Base.connection.execute('SET statement_timeout TO 0') PackageMetadata::PackageVersionLicense.delete_all PackageMetadata::PackageVersion.delete_all