advanced-security-compliance
advanced-security-compliance copied to clipboard
GeekMasher
License Scanning and Policy : manage unknown license with local file
Dependabot sometimes fails to get the license information as it is not well documented in a repository for example:
- https://github.com/pugjs/pug
- https://github.com/jrburke/amdefine
The idea would be to:
- each time we do a test and the licence is unknown:
- log an issue/contribution in the source repository to allow Dependabot to recognize the license
- add an entry in a this Action project that will be the list of project/url without license
- use the information in the policy management with clear information about the fact that it is coming from local scann
@tgrall thanks for the feedback. Right now if a license is unknown by the Dependency Graph we log an error to the Action workflow.
https://github.com/GeekMasher/advanced-security-compliance/blob/main/ghascompliance/defaults/policy.yml#L18-L22
You can create and manage an import file containing the known licensing information.
https://github.com/GeekMasher/advanced-security-compliance/blob/main/examples/policies/conditions.yml#L33-L40
Thanks for this interesting project and your feedback on this issue. It would be more helpful to me to enhance with a list of known-good instead of known-bad dependencies.
E.g. I'm using the following example:
licensing:
conditions:
ids:
- GPL-*
- LGPL-*
- AGPL-*
warnings:
# Warning if the dependency isn't known
ids:
- Other
- NA
ignores:
# known good packages
names:
- pip://packaging
However, this still produces warnings for pip://packaging. Is there another syntax available? Something with negation maybe?
warnings:
# Warning if the dependency isn't known
ids:
- Other
- NA
names:
- ~ "pip://packaging"
@timdittler I am closing this issue now, if you want to talk more on this issue please raise a new one in https://github.com/advanced-security/policy-as-code