My expectation is that adding a license to allow-dependencie

Hi <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="

Just an update I found another purl that doesn't appear to work: <div class="snipp

Adding a license in 'allow-dependencies-licenses' does not prevent it from being populated in "invalid-license-changes" about dependency-review-action HOT 6 OPEN

sreya commented on August 15, 2024

Adding a license in 'allow-dependencies-licenses' does not prevent it from being populated in "invalid-license-changes"

from dependency-review-action.

Comments (6)

juxtin commented on August 15, 2024

Hi @sreya, thanks for the report. At first glance, it looks like the problem is that some of these package-urls technically violate the spec so they aren't being parsed as one might expect.

According to the purl-spec, the "name" segment must be a percent-encoded string. In your case, that means you should have:

pkg:golang/github.com/pelletier%2go-toml%2fv2
pkg:golang/gopkg.in/DataDog%[email protected]

where %2f is the percent encoding of /.

I think this will probably fix your issue. At the same time, I agree that this is kind of an annoying aspect of the purl spec, so I've also created #765 to make our parser a little more permissive.

from dependency-review-action.

sreya commented on August 15, 2024

Hi @juxtin I'm still receiving an error when updating to your commit 🤔 . I even tried url encoding to no avail...here's the output/workflow file:

  dependency-license-review:
    runs-on: ubuntu-latest
    if: github.ref != 'refs/heads/main'
    steps:
      - name: "Checkout Repository"
        uses: actions/checkout@v4
      - name: "Dependency Review"
        id: review
        # TODO: Replace this with the latest release once https://github.com/actions/dependency-review-action/pull/761 is merged.
        uses: actions/dependency-review-action@82ab8f69c78827a746628706b5d2c3f87231fd4c
        with:
          allow-licenses: Apache-2.0, BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC, MIT, MIT-0, MPL-2.0
          allow-dependencies-licenses: "pkg:golang/github.com/pelletier/go-toml/v2,pkg:golang/gopkg.in/DataDog%[email protected]"
          license-check: true
          vulnerability-check: false
      - name: "Report"
        # make sure this step runs even if the previous failed
        if: always()
        shell: bash
        env:
          VULNERABLE_CHANGES: ${{ steps.review.outputs.invalid-license-changes }}
        run: |
          fields=( "unlicensed" "unresolved" "forbidden" )
          for field in "${fields[@]}"; do
            # Use jq to check if the array is not empty
            if [[ $(echo "$VULNERABLE_CHANGES" | jq ".${field} | length") -ne 0 ]]; then
              echo "$VULNERABLE_CHANGES" | jq
              exit 1
            fi
          done
          echo "No incompatible licenses detected"

{
  "unlicensed": [
    {
      "change_type": "added",
      "manifest": "go.mod",
      "ecosystem": "gomod",
      "name": "gopkg.in/DataDog/dd-trace-go.v1",
      "version": "1.63.1",
      "package_url": "pkg:golang/gopkg.in/DataDog/[email protected]",
      "license": null,
      "source_repository_url": null,
      "scope": "runtime",
      "vulnerabilities": []
    }
  ],
  "unresolved": [],
  "forbidden": []
}

from dependency-review-action.

spikecurtis commented on August 15, 2024

Poking through the code, it looks like exclusions are processed by parsing the "package_url":

dependency-review-action/src/licenses.ts

Line 48 in 339e2e1

const changeAsPackageURL = parsePURL(encodeURI(change.package_url))

In the above case, the package URL from gomod is "pkg:golang/gopkg.in/DataDog/[email protected]" which does not have the slashes escaped. So, shouldn't the list of packages we want to ignore follow the same format (even if it's ambiguous vs the spec)?

Either way, I can't convince it to ignore packages, escaping the / or not.

from dependency-review-action.

sreya commented on August 15, 2024

Hi @juxtin any update here? Mainly wondering if there's a workaround we can use

from dependency-review-action.

juxtin commented on August 15, 2024

Apologies everyone, it looks like we still have a discrepancy somewhere in how we represent or parse Go purls somewhere. We'll have to dig into this a bit more to narrow that down.

from dependency-review-action.

sreya commented on August 15, 2024

Just an update I found another purl that doesn't appear to work:

      - name: "Dependency Review"
        id: review
        uses: actions/[email protected]
        with:
          allow-licenses: Apache-2.0, 0BSD, BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC, MIT, MIT-0, MPL-2.0
          allow-dependencies-licenses: "pkg:golang/github.com/coder/[email protected], pkg:npm/[email protected], pkg:npm/[email protected], pkg:githubactions/alwaysmeticulous/report-diffs-action/cloud-compute"
          license-check: true
          vulnerability-check: false

Still returns an unknown

    VULNERABLE_CHANGES: {"unlicensed":[{"change_type":"added","manifest":".github/workflows/ci.yaml","ecosystem":"actions","name":"alwaysmeticulous/report-diffs-action/cloud-compute","version":"1.*.*","package_url":"pkg:githubactions/alwaysmeticulous/report-diffs-action/cloud-compute@1.%2A.%2A","license":null,"source_repository_url":null,"scope":"runtime","vulnerabilities":[]}],"unresolved":[],"forbidden":[]}

from dependency-review-action.

Adding a license in 'allow-dependencies-licenses' does not prevent it from being populated in "invalid-license-changes" about dependency-review-action HOT 6 OPEN

Comments (6)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent