GitLab License Management and Java 11

If built-in License Management functionality does not support the programming language requirements you have, you can customize the License Management docker image.

This guide shows you how to use License Management with OpenJDK 11 or later.

What is License Management?

License Management helps you find what licenses your project uses in its dependencies and decide for each of then whether to allow it or forbid it.

How get License Management reports generated?

According to the GitLab documentation you can take advantage of License Management by adding a license_management job to your .gitlab-ci.yml file.


Please note license_management will append a licenseFinder task to your existing gradle file. This is not possible if you use the gradle plugins block (plugins {...}) which must be a top level statement in the buildscript.

Use the old mechanism works:

apply from: 'other.gradle'

Limited language and framework support

Having the need to build Gradle based Java 11 projects, I ran into 2 major issues:

  1. Developers were relying on Gradle in a specific version. GitLab’s License Management image ships an older version of gradle within the image and it’s impossible to match the developers required version. Gradle wrapper ./gradlew should be used instead.

    I recently contributed a SETUP_CMD environment variable to the core to bypass the package manager auto-detection and make use of the ./gradlew Gradle wrapper script.

  2. GitLab’s License Management images support Java 8 only.

Using a custom licence management image

I’ve forked the / security-products / license-management project and started to work on the two issues listed above.

Language Version Framework License scanner image
Java 8 Maven, Gradle GitLab’s default image
10 Gradle Wrapper

The customized license_management job in detail

Below is an example of a Java 11 customized license_management job which uses my customized Docker image which is based on OpenJDK base images and supports gradle wrapper only, because it does not ship Gradle within the image.

# ...

  stage: verify
    entrypoint: [""]
    SETUP_CMD: ./gradlew --quiet --no-daemon assemble
    - / analyze .
      license_management: gl-license-management-report.json

# ...


comments powered by Disqus