git-bug icon indicating copy to clipboard operation
git-bug copied to clipboard

Published 20 hours ago verified publisher icon MichaelMure

feat: add check for allowed OSS licenses

Open smoyer64 opened this issue 1 year ago • 4 comments

This addition to the Makefile and Github workflow breaks the build if a package is added that doesn't have an approved OSS license. The (current) approved list can be found in .lichen.yaml which was populated from the list of licenses of packages that are already included in the library.

The license checks can also be run locally using make legal.

smoyer64 avatar Sep 12 '22 14:09 smoyer64

On a side note, the vulnerability workflow is problematic as it does block everything right now, even if the tool recognize that the vulnerable code is not called.

MichaelMure avatar Sep 13 '22 11:09 MichaelMure

Hmm ... I thought both GoKart and govulncheck specifically only broke the build if code could (in some path) be called. How did you determine that's how it behaves?

smoyer64 avatar Sep 13 '22 14:09 smoyer64

For the vulnerabilty checks, it seems like https://github.com/kitabisa/gokart-action and https://github.com/Templum/govulncheck-action would be more appropriate as they would run independently from a PR and push problems into the vulnerability tooling of github.

MichaelMure avatar Sep 14 '22 09:09 MichaelMure

That sounds good ... and it doesn't preclude leaving the make recipes in place so you can check locally before committing.

smoyer64 avatar Sep 14 '22 11:09 smoyer64