Support for packages with multiple licenses #263
Comments
febuiles
changed the title
|
The latest release ( I'm leaving the bug report open until |
|
Hello! I do have a very similar issue. We have a long Do we have an ETA? |
|
@JPLachance we can't proceed until jslicense/spdx-satisfies.js#14 is fixed upstream. All ears if you have suggestions on how to improve the parsing of SPDX expressions! |
|
GitHub created multiple tools to bring security into everyone's CI in the past few years. The Dependency Review action is part of the "Supply chain security" tool chain sold under the banner of GitHub Advanced Security. GitHub is collecting hundreds of thousands of dollars per year selling GitHub Advanced Security. So now, are you telling us that we are blocked by an almost year old issue in a repository that has only 4 contributors and for which the last commit was on May 9, 2021, 2 years ago? I mean, fork it at this point 😅 I'll open yet another support case to GitHub if required to make things move. |
|
@JPLachance Your excitement regarding the project is very motivating, thank you for your comment! It sounds like this issue is problematic for you as an Advanced Security customer (FOSS projects get GHAS for free), and in that case I think the best way to move forward is to open a support ticket, that'll help this type of work get prioritized. |
|
Any updates on this issue? We are using many packages which uses multiple licenses. Since this is a paid service, can we expect any timeline to fix it? |
HI @prakyathr thank you for following up on this. Could you clarify, do you mean you're using packages that use multiple licenses? |
|
Hi @jonjanego , you are right. I meant packages that uses multiple licenses. I fixed the typo in the comment above as well. Anyway, will it be fixed soon? |
|
@prakyathr Thanks for clarifying! We're going to look into this and will share an update when we have more information on next steps. |
|
I just wanted to add a link to @elireisman comment here so it doesn't get lost: https://github.com/actions/dependency-review-action/pull/719/files#r1636935433 In short, #719 makes progress towards fixing this issue, but it doesn't quite get there. I have a test repo that confirms this. |
|
Just putting a note here that since version 4.3.4 there is no workaround for packages with licence expressions (#792) and implementing this would be a welcome addition. |
|
@juxtin So since version 4.3.4, is the only way to pass the pipeline when some dependencies use |
|
This is still an issue as of v4.3.4. I opened a support ticket recently and they pointed me to this issue. Why hasn't there been a fix yet after 2 years? |
|
Thanks for the feedback. We don't have this in our immediate plans but it's on our radar. |
One of the packages we're importing has multiple licenses based on dependent projects. The Github dependency-graph API returns all 3 licenses. We have each of the 3 licenses in our
allow-list, but because this is a single string response, it's failing the dependency review.Response from the depency-graph API:
{ "change_type": "added", "manifest": "package-lock.json", "ecosystem": "npm", "name": "@fortawesome/fontawesome-free", "version": "5.15.4", "package_url": "pkg:npm/%40fortawesome/fontawesome-free@5.15.4", "license": "CC-BY-4.0 AND MIT AND OFL-1.1", "source_repository_url": "https://github.com/FortAwesome/Font-Awesome", "scope": "runtime", "vulnerabilities": [] },Proposal
For a situation like this, the action would parse the license field and use the operator (AND) to check that all 3 licenses are in our allow-list. I can see the possibility of a dual-licensed package including an
OR(e.g.:CC-BY-4.0 OR MIT) and so we'd want to use the operator (AND or OR) to validate against theallow-listordeny-listappropriately.Thanks for your consideration!
The text was updated successfully, but these errors were encountered: