Comments (6)
Hi @sreya, thanks for the report. At first glance, it looks like the problem is that some of these package-urls technically violate the spec so they aren't being parsed as one might expect.
According to the purl-spec, the "name" segment must be a percent-encoded string. In your case, that means you should have:
pkg:golang/github.com/pelletier%2go-toml%2fv2
pkg:golang/gopkg.in/DataDog%[email protected]
where %2f
is the percent encoding of /
.
I think this will probably fix your issue. At the same time, I agree that this is kind of an annoying aspect of the purl spec, so I've also created #765 to make our parser a little more permissive.
from dependency-review-action.
Hi @juxtin I'm still receiving an error when updating to your commit 🤔 . I even tried url encoding to no avail...here's the output/workflow file:
dependency-license-review:
runs-on: ubuntu-latest
if: github.ref != 'refs/heads/main'
steps:
- name: "Checkout Repository"
uses: actions/checkout@v4
- name: "Dependency Review"
id: review
# TODO: Replace this with the latest release once https://github.com/actions/dependency-review-action/pull/761 is merged.
uses: actions/dependency-review-action@82ab8f69c78827a746628706b5d2c3f87231fd4c
with:
allow-licenses: Apache-2.0, BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC, MIT, MIT-0, MPL-2.0
allow-dependencies-licenses: "pkg:golang/github.com/pelletier/go-toml/v2,pkg:golang/gopkg.in/DataDog%[email protected]"
license-check: true
vulnerability-check: false
- name: "Report"
# make sure this step runs even if the previous failed
if: always()
shell: bash
env:
VULNERABLE_CHANGES: ${{ steps.review.outputs.invalid-license-changes }}
run: |
fields=( "unlicensed" "unresolved" "forbidden" )
for field in "${fields[@]}"; do
# Use jq to check if the array is not empty
if [[ $(echo "$VULNERABLE_CHANGES" | jq ".${field} | length") -ne 0 ]]; then
echo "$VULNERABLE_CHANGES" | jq
exit 1
fi
done
echo "No incompatible licenses detected"
{
"unlicensed": [
{
"change_type": "added",
"manifest": "go.mod",
"ecosystem": "gomod",
"name": "gopkg.in/DataDog/dd-trace-go.v1",
"version": "1.63.1",
"package_url": "pkg:golang/gopkg.in/DataDog/[email protected]",
"license": null,
"source_repository_url": null,
"scope": "runtime",
"vulnerabilities": []
}
],
"unresolved": [],
"forbidden": []
}
from dependency-review-action.
Poking through the code, it looks like exclusions are processed by parsing the "package_url"
:
dependency-review-action/src/licenses.ts
Line 48 in 339e2e1
In the above case, the package URL from gomod is "pkg:golang/gopkg.in/DataDog/[email protected]"
which does not have the slashes escaped. So, shouldn't the list of packages we want to ignore follow the same format (even if it's ambiguous vs the spec)?
Either way, I can't convince it to ignore packages, escaping the /
or not.
from dependency-review-action.
Hi @juxtin any update here? Mainly wondering if there's a workaround we can use
from dependency-review-action.
Apologies everyone, it looks like we still have a discrepancy somewhere in how we represent or parse Go purls somewhere. We'll have to dig into this a bit more to narrow that down.
from dependency-review-action.
Just an update I found another purl that doesn't appear to work:
- name: "Dependency Review"
id: review
uses: actions/[email protected]
with:
allow-licenses: Apache-2.0, 0BSD, BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC, MIT, MIT-0, MPL-2.0
allow-dependencies-licenses: "pkg:golang/github.com/coder/[email protected], pkg:npm/[email protected], pkg:npm/[email protected], pkg:githubactions/alwaysmeticulous/report-diffs-action/cloud-compute"
license-check: true
vulnerability-check: false
Still returns an unknown
VULNERABLE_CHANGES: {"unlicensed":[{"change_type":"added","manifest":".github/workflows/ci.yaml","ecosystem":"actions","name":"alwaysmeticulous/report-diffs-action/cloud-compute","version":"1.*.*","package_url":"pkg:githubactions/alwaysmeticulous/report-diffs-action/cloud-compute@1.%2A.%2A","license":null,"source_repository_url":null,"scope":"runtime","vulnerabilities":[]}],"unresolved":[],"forbidden":[]}
from dependency-review-action.
Related Issues (20)
- Feature Request: Block on unknown licenses HOT 1
- `warn_only` Does Not Apply When Using a Deny List HOT 1
- error "fetch failed" with v4.2.5 HOT 3
- Scorecard table URLs include duplicate https:// HOT 3
- MIT is an invalid SPDX license identifier? HOT 2
- Question: Is this action limited to revisions on the _default_ branch only? HOT 2
- Conflict between vulnerabilities in scorecard vs check
- v4.3.0 Causing PURL Processing Errors HOT 6
- Allow this action to run on branch HOT 4
- Latest release breaks dependabot HOT 3
- Configuring allow-dependencies-licenses fails the action HOT 3
- Error :- Purl String argument is required . HOT 4
- Job Summary Size Limitation aborts the job HOT 2
- `fail-on-severity` should still show lower severity vulnerabilities
- [BUG] When the report exceeds 64KB pr issue is not created since it exceeds max comment issue HOT 1
- Why is this not named `dependency-review` HOT 1
- Job Summary Size Limitation aborts the job [BUG] HOT 2
- [BUG] Release 4.3.4 breaking change with SPDX expressions HOT 9
- [BUG] Action Is Now Unable To Parse NPM pURL Without a Namespace HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-review-action.