| Stage | Secure |
| Maturity | Viable |
| Content Last Reviewed | 2020-09-01 |
| Content Last Updated | 2020-09-01 |
Thanks for visiting this category direction page on License Compliance at GitLab. This page belongs to the Composition Analysis group of the Secure stage and is maintained by Nicole Schwartz.
We welcome feedback, bug reports, feature requests, and community contributions.
Not sure how to get started?
/label ~"devops::secure" ~"Category:License Compliance" ~"group::composition analysis".
Sharing your feedback directly on GitLab.com is the best way to contribute to our direction.
We believe everyone can contribute and so if you wish to contribute here is how to get started.
License Compliance analyses your application to track which licenses are used by third-party components, like libraries and external dependencies, and check that they are compatible with you policies.
Licenses can be incompatible with the chosen license model for the application, for example because of their redistribution rights.
Our goal is to provide License Compliance as part of the standard development process. This means that License Compliance is executed every time a new commit is pushed to a branch, identifying newly introduced licenses in the merge request. We also include License Compliance as part of Auto DevOps.
Licenses should also be included in a bill of materials (BOM), where all the components are listed with their licenses. See this issue for additional details.
Primary: Sasha (Software Developer) wants to know when adding a dependency if it has permitted licenses.
Other: Cameron (Compliance Manager), Delaney (Development Team Lead)
We will be researching current user challenges in this issue. Please feel free to comment!
To be determined when focus returns to this category. Currently License Compliance is being maintained but not actively pushed forward while the group concentrates on Dependency Scanning.
-License Compliance Epic Roadmap
To be determined when focus returns to this category.
Anything other than bug fixes and improvements for internal customers.
This category is currently at the Viable maturity level, and our next maturity target is not set (see our definitions of maturity levels
Currently we have very limited telemetry data, as a result we will be tracking number of times that our scans run.
In the future we hope that users will allow us to enhance our telemetry to be able to record information such as the number of findings that are dismissed vs. accepted. See our current metrics here, and other items being discussed in this issue.
Users have indicated they which to enforce license compliance policies as early as possible, in addition this contributes to the request that users have for producing a software bill of materials (SBoM).
GitLab was named a Niche Player in the 2020 Gartner Magic Quadrant for AST.
The License Compliance topic is often coupled with Dependency Scanning in Software Composition Analysis (SCA). This is what analysts evaluate, and how it is bundled in other products. As defined in our Solutions.
We should make sure that we can address the entire solution even if we consider these features as independent, and to leverage the single application nature of GitLab to provide a consistent experience in all of them.
We can get valuable feedback from analysts, and use it to drive our vision.
I base this on popularity, so please remember to comment AND upvote issues you would like to see.
If you don't see the customer success label on an issue yet, and you are a customer success team-member, feel free to add it!
If you don't see the customer label on an issue yet, feel free to add it if you are the first customer!
If you don't see the internal customer label on an issue yet, and you are a team-member, feel free to add it!
To be determined.
