Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid SPDX License #559

Closed
kamimanzoor opened this issue Sep 4, 2023 · 6 comments
Closed

Invalid SPDX License #559

kamimanzoor opened this issue Sep 4, 2023 · 6 comments

Comments

@kamimanzoor
Copy link

Hi,

We have recently added dependency review in our workflows. We are getting "Invalid SPDX License" issue for quite a lot of our dependencies. Even though it states that the latest release (v3) is fully SPDX-compliant and has support for AND/OR expressions. I have manually parse a couple of licenses like BSD-2-Clause AND BSD-3-Clause via the underlying library spdx-expression-parse and it seems to parse without any issues. Please find the screenshot below:
image
The workflow code snippet alongside config file is shown below:

- name: 'Dependency Review with config file'
   uses: actions/dependency-review-action@v3
   with:
     config-file: ${{ inputs.config-file }}

Small snippet from config file:

fail_on_severity: 'critical'
comment_summary_in_pr: true
license_check: true
allow_licenses: 
  - Apache-1.0
  - Apache-1.1
  - Apache-2.0
  - BSL-1.0
  - BSD-1-Clause
  - BSD-2-Clause
  - BSD-2-Clause-Patent
  - BSD-3-Clause

Any prompt response would be greatly appreciated as currently dependency review is not adding any meaningful value for us.

@febuiles
Copy link
Contributor

@kamimanzoor Thanks for the report. Just to confirm my understanding is correct:

  • cryptography should fail (Python-2.0 is not in the allowlist)
  • astroid should fail (LGPL-2.1-only is not in the allowlist)

The other 3 licenses should not fail. Can you confirm this makes sense to you?

@panthony
Copy link

panthony commented Mar 12, 2024

Hello there 👋🏻

Similar issue but with OR:

Capture d’écran 2024-03-12 à 15 20 48

Here GPL-2.0 is denied. But this particular dependency should not fail the test because it can be licensed under Apache-2.0.

Which is probably a more common (and simpler) case.

@jonjanego
Copy link
Collaborator

Thank you for the issue report, @panthony

@panthony
Copy link

@jonjanego Found this issue later about this:

#670

@jonjanego
Copy link
Collaborator

Yep, thanks @panthony - we've got it on our radar! :)

@febuiles
Copy link
Contributor

The original issue tracked other problems with SPDX licenses that since have been fixed, the only remaining item here are OR expressions. I updated #670, closing this in favor of that issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants