Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Secure Stage / 17 Aug 2020
GitLab / Secure Stage / 17 Aug 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: GitLab License Scanning - OSS Review Toolkit

Description

In this video Mo Khan describes how to integrate the ORT into the the GitLab pipeline to produce a license scanning report.

* https://github.com/oss-review-toolkit/ort
* https://gitlab.com/gitlab-org/security-products/tests/java-maven/-/merge_requests/97

A

Hello, my name is mo khan. I am an engineer on the composition, analysis team here at git lab and today I want to talk to you about the open source software review toolkit and how to use it to integrate into the license scanning job.

A

So, as you may or may not know, the license scanning job can be included by adding this particular template. The security slash licensescanning.gitlab.ci.yaml and what that does is. It adds a job with the name license scanning now, when the license scanning job runs, it does its best to detect your project type, uh install any packages that are related to package managers that might be used in your project and then from there determine the software licenses associated with any dependencies that are in your project.

A

So today I want to show you how you can replace the default license scanning job with the oss review, toolkit, or also known as ort, so to get started like once. You've got the default include in your project. You can override the license scanning job by redefining it. So here's an example: if you include the default template license scanning.gitlab.ci.yaml, you can override the template by specifying your own docker image. So in this case, I'm pointing this to a docker image which is built from the docker file. That's hosted right in the ort project.

A

So if we go back to the ort project, we can see in the code they provide a docker file, so we can actually use that docker file for generating a docker image that we can use for providing a scan from the ort project.

A

So once I've got that image, the next thing I can do is override the script block. Now this part's important, because the default script block that ships with the license scanning job won't work with rt out of the box. But, as you can see, these two lines aren't that difficult to drop in I'll just go over what they actually mean. So in the first line here where we're saying ort analyze, what this is doing is it's instructing the ort command line interface to analyze the current project directory.

A

So when the gitlab runner runs, it typically drops the source code into a project directory, something under slash, builds and then exports an environment variable called ci projector. So here we're instructing ort to go ahead and analyze this directory. As we're saying the input is this project directory in the output. You can place the results, also in that directory in that directory. At the end of that step is an analyze result.amol.

A

So you can see on the second phase here we're actually including the analyzer result.yaml as the input and the output is again the same project directory. The format of this report is the gitlab license model, so you can see that there's, no additional plugins or extensions necessary to generate get lab license scanning report. The folks over at the ort project were kind enough to include this right in the core project themselves, so this will actually generate a license scanning report that can be uploaded directly to gitlab.

A

So once that's in place um and you've committed that to your project, you can actually see it in the uh the product of that change in your merge request. So here's an example repo with the changes already applied and you can see in the most recent pipelines already be completed. So if I jump into that pipeline, we can see the license scanning job I'll, just take a look at the job output and at the very top.

A

If we start from the very top you'll see that for the license scanning job scanning job pardon me, it pulled the ort image after that was downloaded. It started to do the analysis step using ort. You can see ortiz banner pop up and then it exported the analysis report into a gitlab license scanning report and at the very end here we upload the gl license scanning report.json and for the most part, this is the integration into the website for being able to visualize this data.

A

So if we go to the pipeline view, now we'll be able to see that the licenses tab is actually filled out and this data is for the most part sourced from the report that was produced by ort so to rewind in order to override the default license scanning job today. That gitlab provides with ort it's just a few lines of code additional code that needs to be added to your gitlab ci yaml file, and that's it that's the integration.

A

So I hope that clarifies how to use ort to replace the default license scanning report, um and let me see oh there's one last thing. The interesting thing about this is that yuka you're free to host this docker image, wherever you like.

A

So if you prefer to actually trim down that docker file or repurpose it by only including dependencies that are related to your organization or project you're, welcome to build and host that container wherever or image wherever you like, and you can use that in the scan report and because of the built-in integration right into ort itself. Exporting a gitlab license. Model report is just as easy as dash f get lab license model, and that's all for today, thanks.