dependency-review-action icon indicating copy to clipboard operation
dependency-review-action copied to clipboard
verified publisher icon actions

Failure to determine license and flag to explicitly deny unknown licenses

Open wmmc88 opened this issue 1 year ago • 8 comments

I think a flag to explicitly deny unknown licenses is still warranted.

The following run fails to be able to detect the license of anstyle: https://github.com/wmmc88/windows-drivers-rs/actions/runs/7632001216/job/20791223328?pr=18

I am unsure why this is the case since the license is available here.

In any case, I still think there should be a way to fail the job if unknown license is encountered. There are situations where you wont catch this in PR comments (ex. if triggered on push, or if triggered on PR from a fork)

Originally posted by @wmmc88 in https://github.com/actions/dependency-review-action/issues/264#issuecomment-1907051320

wmmc88 avatar Jan 26 '24 15:01 wmmc88

For the specific reproduction PR you gave, I wasn't able to reproduce the issue in a test repository with the same Cargo.lock file. The license also appears correct in the "view rich diff"/dependency review feature of the pull request itself.

Image

So it looks like that part may have been a transient issue on our end.

On the topic of adding a fail-on-unknown-license option - I'll keep this issue open for tracking that.

mrysav avatar Feb 23 '24 19:02 mrysav

https://github.com/actions/dependency-review-action/issues/714 also suggests the value of failing on unknown.

jonjanego avatar Mar 15 '24 16:03 jonjanego

The example we have run into is with this github action, Docker Scout.

Clearly not an SPDX license type, so I am not saying that I would expect a different result from the dependency review action, but the ability to (a) fail when unknown and (b) possibly allow for this specific dependency to pass once the team determines it is OK to include would be nice.

mbrundige avatar Mar 22 '24 12:03 mbrundige

@jonjanego would you accept a community PR to address this?

sreya avatar Apr 17 '24 00:04 sreya

@sreya we'd definitely take a look at it!

jonjanego avatar Apr 17 '24 17:04 jonjanego

👋 This issue has been marked as stale because it has been open with no activity for 180 days. You can: comment on the issue or remove the stale label to hold stalebot off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing, this issue will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details.

github-actions[bot] avatar Oct 15 '24 00:10 github-actions[bot]

@jonjanego is this going to be added?

wmmc88 avatar Oct 15 '24 00:10 wmmc88

@jonjanego is this going to be added?

at the moment we do not have bandwidth to add this new feature, but would love to review any community contributions to it!

jonjanego avatar Oct 15 '24 14:10 jonjanego

👋 This issue has been marked as stale because it has been open with no activity for 180 days. You can: comment on the issue or remove the stale label to hold stalebot off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing, this issue will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details.

github-actions[bot] avatar Apr 14 '25 00:04 github-actions[bot]

👋 This issue has been closed by stalebot because it has been open with no activity for over 180 days. Please see CONTRIBUTING.md for more policy details.

github-actions[bot] avatar Apr 30 '25 00:04 github-actions[bot]

This feature is still desirable. Can you repon this @jonjanego

wmmc88 avatar May 01 '25 14:05 wmmc88