►
From YouTube: GitLab License Scanning - OSS Review Toolkit
Description
In this video Mo Khan describes how to integrate the ORT into the the GitLab pipeline to produce a license scanning report.
* https://github.com/oss-review-toolkit/ort
* https://gitlab.com/gitlab-org/security-products/tests/java-maven/-/merge_requests/97
A
A
So,
as
you
may
or
may
not
know,
the
license
scanning
job
can
be
included
by
adding
this
particular
template.
The
security
slash
licensescanning.gitlab.ci.yaml
and
what
that
does
is.
It
adds
a
job
with
the
name
license
scanning
now,
when
the
license
scanning
job
runs,
it
does
its
best
to
detect
your
project
type,
install
any
packages
that
are
related
to
package
managers
that
might
be
used
in
your
project
and
then
from
there
determine
the
software
licenses
associated
with
any
dependencies
that
are
in
your
project.
A
So
today
I
want
to
show
you
how
you
can
replace
the
default
license
scanning
job
with
the
oss
review,
toolkit,
or
also
known
as
ort,
so
to
get
started
like
once.
You've
got
the
default
include
in
your
project.
You
can
override
the
license
scanning
job
by
redefining
it.
So
here's
an
example:
if
you
include
the
default
template
license
scanning.gitlab.ci.yaml,
you
can
override
the
template
by
specifying
your
own
docker
image.
So
in
this
case,
I'm
pointing
this
to
a
docker
image
which
is
built
from
the
docker
file.
That's
hosted
right
in
the
ort
project.
A
So
once
I've
got
that
image,
the
next
thing
I
can
do
is
override
the
script
block.
Now
this
part's
important,
because
the
default
script
block
that
ships
with
the
license
scanning
job
won't
work
with
rt
out
of
the
box.
But,
as
you
can
see,
these
two
lines
aren't
that
difficult
to
drop
in
I'll
just
go
over
what
they
actually
mean.
So
in
the
first
line
here
where
we're
saying
ort
analyze,
what
this
is
doing
is
it's
instructing
the
ort
command
line
interface
to
analyze
the
current
project
directory.
A
So
when
the
gitlab
runner
runs,
it
typically
drops
the
source
code
into
a
project
directory,
something
under
slash,
builds
and
then
exports
an
environment
variable
called
ci
projector.
So
here
we're
instructing
ort
to
go
ahead
and
analyze
this
directory.
As
we're
saying
the
input
is
this
project
directory
in
the
output.
You
can
place
the
results,
also
in
that
directory
in
that
directory.
At
the
end
of
that
step
is
an
analyze
result.amol.
A
So
you
can
see
on
the
second
phase
here
we're
actually
including
the
analyzer
result.yaml
as
the
input
and
the
output
is
again
the
same
project
directory.
The
format
of
this
report
is
the
gitlab
license
model,
so
you
can
see
that
there's,
no
additional
plugins
or
extensions
necessary
to
generate
get
lab
license
scanning
report.
The
folks
over
at
the
ort
project
were
kind
enough
to
include
this
right
in
the
core
project
themselves,
so
this
will
actually
generate
a
license
scanning
report
that
can
be
uploaded
directly
to
gitlab.
A
So
once
that's
in
place
and
you've
committed
that
to
your
project,
you
can
actually
see
it
in
the
the
product
of
that
change
in
your
merge
request.
So
here's
an
example
repo
with
the
changes
already
applied
and
you
can
see
in
the
most
recent
pipelines
already
be
completed.
So
if
I
jump
into
that
pipeline,
we
can
see
the
license
scanning
job
I'll,
just
take
a
look
at
the
job
output
and
at
the
very
top.
A
If
we
start
from
the
very
top
you'll
see
that
for
the
license
scanning
job
scanning
job
pardon
me,
it
pulled
the
ort
image
after
that
was
downloaded.
It
started
to
do
the
analysis
step
using
ort.
You
can
see
ortiz
banner
pop
up
and
then
it
exported
the
analysis
report
into
a
gitlab
license
scanning
report
and
at
the
very
end
here
we
upload
the
gl
license
scanning
report.json
and
for
the
most
part,
this
is
the
integration
into
the
website
for
being
able
to
visualize
this
data.
A
So
if
we
go
to
the
pipeline
view,
now
we'll
be
able
to
see
that
the
licenses
tab
is
actually
filled
out
and
this
data
is
for
the
most
part
sourced
from
the
report
that
was
produced
by
ort
so
to
rewind
in
order
to
override
the
default
license
scanning
job
today.
That
gitlab
provides
with
ort
it's
just
a
few
lines
of
code
additional
code
that
needs
to
be
added
to
your
gitlab
ci
yaml
file,
and
that's
it
that's
the
integration.
A
A
So
if
you
prefer
to
actually
trim
down
that
docker
file
or
repurpose
it
by
only
including
dependencies
that
are
related
to
your
organization
or
project
you're,
welcome
to
build
and
host
that
container
wherever
or
image
wherever
you
like,
and
you
can
use
that
in
the
scan
report
and
because
of
the
built-in
integration
right
into
ort
itself.
Exporting
a
gitlab
license.
Model
report
is
just
as
easy
as
dash
f
get
lab
license
model,
and
that's
all
for
today,
thanks.