Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Packages being flagged incorrectly with invalid SPDX license definitions #809

Open
shubhashish-certa opened this issue Aug 9, 2024 · 7 comments
Labels
bug Something isn't working

Comments

@shubhashish-certa
Copy link

shubhashish-certa commented Aug 9, 2024

Hi, We have 4 dependency packages being upgraded which are using extensive Dual licensing. I have recently updated my config file to accommodate the flagged license identifiers as well. Still we are getting "Invalid SPDX license" for all of them.

Package Version License Issue Type
jmespath 0.16.0 Apache-2.0 AND MIT Invalid SPDX License
pako 1.0.11 MIT AND Zlib Invalid SPDX License
sprintf-js 1.0.3 BSD-3-Clause AND BSD-3-Clause-Clear Invalid SPDX License
stream-buffers 3.0.3 Unlicense Invalid SPDX License

My dependency review workflow looks like this

- name: 'Dependency Review'
  uses: actions/dependency-review-action@v3
  with:
    config-file: 'security-config/dependency-review-config.yml'

My config file has these licenses already allowed:

Allowed Licenses: 
- BSD-2-Clause
- BSD-3-Clause
- MIT
- Apache-2.0
- PSF-2.0
- ISC
- HPND
- CC0-1.0
- 0BSD
- PSF-2.0
- Python-2.0
- WTFPL
- LGPL-3.0
- Apache-2.0 and MIT
- MIT AND Zlib
- BSD-3-Clause AND BSD-3-Clause-Clear
- Unlicense

Additionally, I also checked the license identifiers using license-expression validator but it found no issues with any of the identifiers.

Please provide a prompt reason for the failure as the dependency review workflow is not helping us in resolving this at all.

@shubhashish-certa shubhashish-certa added the bug Something isn't working label Aug 9, 2024
@shubhashish-certa
Copy link
Author

shubhashish-certa commented Aug 9, 2024

FYI : @febuiles @jonjanego

@jonjanego
Copy link
Collaborator

Please start with using a current release. The latest is 4.3.4 and you are using v3 which was last updated in January.

We have made some recent improvements to license parsing which might help.

@shubhashish-certa
Copy link
Author

shubhashish-certa commented Aug 9, 2024

@jonjanego I tried modifying my action to the current release 4.3.4. And now the Invalid SPDX License issue is resolved. However, now I am getting Incompatible License for all the dependencies in my repo, even the basic ones

540 package(s) with incompatible licenses

Package Version License Issue Type
semver 5.7.1 ISC Incompatible License
qs 6.9.3 BSD-3-Clause Incompatible License
braces 3.0.2 MIT Incompatible License
cookiejar 2.1.3 MIT Incompatible License

And so on

@shubhashish-certa
Copy link
Author

shubhashish-certa commented Aug 12, 2024

FYI: @jonjanego Just wanted to send in so that this is still on track. Upgrading the version to the latest solved the issue of license parsing as you mentioned. However, all the licenses including the common ones like MIT and Apache-2.0 (among the other mentioned in the thread) are rendered as Incompatible License. As a note, these licenses used to work with the older version.

@jtomkiew-mng
Copy link

@shubhashish-certa

Version 4.3.4 does not work with invalid license names in the config and since that version, SPDX expression licenses are considered invalid (see: #792).

In short, remove all SPDX expressions from the config, like this:

Allowed Licenses: 
- BSD-2-Clause
- BSD-3-Clause
- MIT
- Apache-2.0
- PSF-2.0
- ISC
- HPND
- CC0-1.0
- 0BSD
- PSF-2.0
- Python-2.0
- WTFPL
- LGPL-3.0
- Unlicense

Note that if you have packages that use SPDX expressions, this will report them as invalid, as support is not yet implemented (see: #263). In that case you need to downgrade to version 4.3.3 where SPDX expressions are handled as exact strings (like you had in your original config).

@shubhashish-certa
Copy link
Author

That explains it @jtomkiew-mng thanks!!, both the methods worked, but currently going ahead with downgrading to v4.3.3, since we have multiple dependencies that are dual-licensed.

@JPLachance
Copy link

👋🏼

Did GitHub made progress on license expressions?

I too was forced to stay on the version 4.3.3 of the Action due to the fact most of the dependencies used have multiple licenses, or complex license expressions.

I've heard from our GitHub Account team that something was in the works on the Dependency Review side, and I found github/roadmap#1025 on the public roadmap.

Does anyone has some insider knowledge of what the future will look like for Dependency Review?

Ideally, we would upgrade, unpin version 4.3.3, benefits from all the recent work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants