The following page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features or functionality remain at the sole discretion of GitLab Inc.
| Stage | Secure |
| Maturity | Minimal |
| Content Last Reviewed | 2021-08-30 |
| Content Last Updated | 2021-08-30 |
Thanks for visiting this category direction page on License Compliance at GitLab. This page belongs to the Composition Analysis group of the Secure stage and is maintained by Nicole Schwartz.
Please be aware that License Compliance is Minimal maturity and has been maintenance mode since FY21Q2 (April 2020). Due to this, there has been no dedicated investment in feature maturity and it will remain in maintenance mode until FY23Q1 (February 2022).
The Composition Analysis Group's primary focus is GitLab-hosted First putting reliability, scalability, and security first. This will be our primary focus until FY22Q4 (November 2021).
We welcome feedback, bug reports, feature requests, and community contributions.
Not sure how to get started?
/label ~"devops::secure" ~"Category:License Compliance" ~"group::composition analysis" ~feature.
Sharing your feedback directly on GitLab.com is the best way to contribute to our direction.
We believe everyone can contribute and so if you wish to contribute here is how to get started.
License Compliance analyzes your application to track which licenses are used by third-party components, like libraries and external dependencies, and check that they are compatible with your policies.
License Compliance is often considered an element of Software Composition Analysis, Software Bill of Materials (SBOM), and compliance activities.
GitLab was recently named as a Challenger in the 2021 Magic Quadrant for Application Security Testing.
Licenses can be incompatible with the chosen license model for the application, for example because of their redistribution rights.
Our goal is to provide License Compliance as part of the standard development process. This means that License Compliance is executed every time a new commit is pushed to a branch, identifying newly introduced licenses in the merge request. We also include License Compliance as part of Auto DevOps.
Primary: Sasha (Software Developer) wants to know when adding a dependency if it has permitted licenses.
Other: Cameron (Compliance Manager), Delaney (Development Team Lead)
We will be researching current user challenges in this issue. Please feel free to comment!
When License Compliance is resourced, we will be focusing on progressing the maturity of the category from minimal to viable. Currently, based on discussions with users, the focus for each progression is detailed below in "What's Next & Why".
We expect users to be able to clearly specify what licenses are permissible for which internal projects, and for developers to be promptly aware when they add a license that is against policy and who they can talk to about it.
Users tasked with verification of compliance will be easily able to review what licenses are utilized through the projects, which deviate from policy, and who approved the exception.
-License Compliance Epic Roadmap
When Composition Analysis focus returns to this category we expect to evaluate the replacement of License Finder.
Following that, we will focus on progressing the maturity of the category.
software dependency or software dependency + version at a project, group, sub-group or workspace levelAnything other than bug fixes and improvements for internal customers.
This category is currently at the Viable maturity level, and our next maturity target is not set (see our definitions of maturity levels
Currently we have very limited product analytics data, as a result we are only tracking number of times that our scans run.
Users have indicated they wish to enforce license compliance policies as early as possible. This contributes to the need that users have for producing a software bill of materials (SBoM).
GitLab was recently named as a Challenger in the 2021 Magic Quadrant for Application Security Testing.
The License Compliance topic is often coupled with Dependency Scanning in Software Composition Analysis (SCA). This is what analysts evaluate, and how it is bundled in other products. As defined in our Solutions.
We should make sure that we can address the entire solution even if we consider these features as independent, and to leverage the single application nature of GitLab to provide a consistent experience in all of them.
We can get valuable feedback from analysts, and use it to drive our vision.
I base this on popularity, so please remember to comment AND upvote issues you would like to see.
If you don't see the customer success label on an issue yet, and you are a customer success team-member, feel free to add it!
If you don't see the customer label on an issue yet, feel free to add it if you are the first customer!
If you don't see the internal customer label on an issue yet, and you are a team-member, feel free to add it!
To be determined.
