Gitlab hero border pattern left svg Gitlab hero border pattern right svg

Category Direction - License Compliance

Secure & Defend

   
Stage Secure
Maturity Viable
Content Last Reviewed 2020-09-01
Content Last Updated 2020-09-01

Introduction and how you can help

Thanks for visiting this category direction page on License Compliance at GitLab. This page belongs to the Composition Analysis group of the Secure stage and is maintained by Nicole Schwartz.

Send Us Feedback

We welcome feedback, bug reports, feature requests, and community contributions.

Not sure how to get started?

Sharing your feedback directly on GitLab.com is the best way to contribute to our direction.

We believe everyone can contribute and so if you wish to contribute here is how to get started.

Overview

License Compliance analyses your application to track which licenses are used by third-party components, like libraries and external dependencies, and check that they are compatible with you policies.

Licenses can be incompatible with the chosen license model for the application, for example because of their redistribution rights.

Our goal is to provide License Compliance as part of the standard development process. This means that License Compliance is executed every time a new commit is pushed to a branch, identifying newly introduced licenses in the merge request. We also include License Compliance as part of Auto DevOps.

Licenses should also be included in a bill of materials (BOM), where all the components are listed with their licenses. See this issue for additional details.

Target Audience

Primary: Sasha (Software Developer) wants to know when adding a dependency if it has permitted licenses.

Other: Cameron (Compliance Manager), Delaney (Development Team Lead)

Challenges to address

We will be researching current user challenges in this issue. Please feel free to comment!

Key features

Strategy

See Secure 3 Year Strategy

Where we are Headed

To be determined when focus returns to this category. Currently License Compliance is being maintained but not actively pushed forward while the group concentrates on Dependency Scanning.

Roadmap

-License Compliance Epic Roadmap

What's Next & Why

To be determined when focus returns to this category.

What is Not Planned Right Now

Anything other than bug fixes and improvements for internal customers.

Maturity Plan

This category is currently at the Viable maturity level, and our next maturity target is not set (see our definitions of maturity levels

User success metrics

Currently we have very limited telemetry data, as a result we will be tracking number of times that our scans run.

In the future we hope that users will allow us to enhance our telemetry to be able to record information such as the number of findings that are dismissed vs. accepted. See our current metrics here, and other items being discussed in this issue.

Why is this important?

Users have indicated they which to enforce license compliance policies as early as possible, in addition this contributes to the request that users have for producing a software bill of materials (SBoM).

Competitive Landscape

Analyst Landscape

GitLab was named a Niche Player in the 2020 Gartner Magic Quadrant for AST.

The License Compliance topic is often coupled with Dependency Scanning in Software Composition Analysis (SCA). This is what analysts evaluate, and how it is bundled in other products. As defined in our Solutions.

We should make sure that we can address the entire solution even if we consider these features as independent, and to leverage the single application nature of GitLab to provide a consistent experience in all of them.

We can get valuable feedback from analysts, and use it to drive our vision.

Top Issue(s)

I base this on popularity, so please remember to comment AND upvote issues you would like to see.

Customer Success/Sales

Full list

If you don't see the customer success label on an issue yet, and you are a customer success team-member, feel free to add it!

User

Full list

If you don't see the customer label on an issue yet, feel free to add it if you are the first customer!

Internal customer

Full list

If you don't see the internal customer label on an issue yet, and you are a team-member, feel free to add it!

Top Strategy Item(s)

To be determined.

Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license