Gitlab hero border pattern left svg Gitlab hero border pattern right svg

Category Direction - License Compliance

Sec Section

   
Stage Secure
Maturity Minimal
Content Last Reviewed 2021-08-30
Content Last Updated 2021-08-30

Introduction and how you can help

Thanks for visiting this category direction page on License Compliance at GitLab. This page belongs to the Composition Analysis group of the Secure stage and is maintained by Nicole Schwartz.

Please be aware that License Compliance is Minimal maturity and has been maintenance mode since FY21Q2 (April 2020). Due to this, there has been no dedicated investment in feature maturity and it will remain in maintenance mode until FY23Q1 (February 2022).

The Composition Analysis Group's primary focus is GitLab-hosted First putting reliability, scalability, and security first. This will be our primary focus until FY22Q4 (November 2021).

Send Us Feedback

We welcome feedback, bug reports, feature requests, and community contributions.

Not sure how to get started?

Sharing your feedback directly on GitLab.com is the best way to contribute to our direction.

We believe everyone can contribute and so if you wish to contribute here is how to get started.

Overview

License Compliance analyzes your application to track which licenses are used by third-party components, like libraries and external dependencies, and check that they are compatible with your policies.

License Compliance is often considered an element of Software Composition Analysis, Software Bill of Materials (SBOM), and compliance activities.

GitLab was recently named as a Challenger in the 2021 Magic Quadrant for Application Security Testing.

Licenses can be incompatible with the chosen license model for the application, for example because of their redistribution rights.

Our goal is to provide License Compliance as part of the standard development process. This means that License Compliance is executed every time a new commit is pushed to a branch, identifying newly introduced licenses in the merge request. We also include License Compliance as part of Auto DevOps.

Target Audience

Primary: Sasha (Software Developer) wants to know when adding a dependency if it has permitted licenses.

Other: Cameron (Compliance Manager), Delaney (Development Team Lead)

Challenges to address

We will be researching current user challenges in this issue. Please feel free to comment!

Key features

Strategy

See Secure 3 Year Strategy

Where we are Headed

When License Compliance is resourced, we will be focusing on progressing the maturity of the category from minimal to viable. Currently, based on discussions with users, the focus for each progression is detailed below in "What's Next & Why".

We expect users to be able to clearly specify what licenses are permissible for which internal projects, and for developers to be promptly aware when they add a license that is against policy and who they can talk to about it.

Users tasked with verification of compliance will be easily able to review what licenses are utilized through the projects, which deviate from policy, and who approved the exception.

Roadmap

-License Compliance Epic Roadmap

What's Next & Why

When Composition Analysis focus returns to this category we expect to evaluate the replacement of License Finder.

Following that, we will focus on progressing the maturity of the category.

Viable
Complete
Loveable

What is Not Planned Right Now

Anything other than bug fixes and improvements for internal customers.

Maturity Plan

This category is currently at the Viable maturity level, and our next maturity target is not set (see our definitions of maturity levels

User success metrics

Currently we have very limited product analytics data, as a result we are only tracking number of times that our scans run.

Why is this important?

Users have indicated they wish to enforce license compliance policies as early as possible. This contributes to the need that users have for producing a software bill of materials (SBoM).

Competitive Landscape

Analyst Landscape

GitLab was recently named as a Challenger in the 2021 Magic Quadrant for Application Security Testing.

The License Compliance topic is often coupled with Dependency Scanning in Software Composition Analysis (SCA). This is what analysts evaluate, and how it is bundled in other products. As defined in our Solutions.

We should make sure that we can address the entire solution even if we consider these features as independent, and to leverage the single application nature of GitLab to provide a consistent experience in all of them.

We can get valuable feedback from analysts, and use it to drive our vision.

Top Issue(s)

I base this on popularity, so please remember to comment AND upvote issues you would like to see.

Customer Success/Sales

Full list

If you don't see the customer success label on an issue yet, and you are a customer success team-member, feel free to add it!

User

Full list

If you don't see the customer label on an issue yet, feel free to add it if you are the first customer!

Internal customer

Full list

If you don't see the internal customer label on an issue yet, and you are a team-member, feel free to add it!

Top Strategy Item(s)

To be determined.

Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license