dependency-review-action icon indicating copy to clipboard operation
dependency-review-action copied to clipboard
verified publisher icon actions

Unknown License but license available via github API

Open riosje opened this issue 1 year ago • 2 comments

image

Hello guys I'm facing issues using this action in one of my workflows because it always mark my action with unknown license despite to have the license properly configured everywhere.

This is the action returning the issue https://github.com/nodesource/setup-nsolid

This is a RUN with the issue https://github.com/nodesource/setup-nsolid/actions/runs/8065465089

This is the Workflow I'm testing https://github.com/nodesource/setup-nsolid/blob/jeff/fixdepreview/.github/workflows/dependency-review.yaml

This is the license the Github API returns gh api /repos/nodesource/setup-nsolid/license | jq -r .license

{
  "key": "mit",
  "name": "MIT License",
  "spdx_id": "MIT",
  "url": "https://api.github.com/licenses/mit",
  "node_id": "MDc6TGljZW5zZTEz"
}

this is a pipeline to repro the issue

name: 'Dependency Review'
on: [pull_request]

permissions:
  contents: read

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v4
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v4

riosje avatar Feb 27 '24 14:02 riosje

@riosje Thanks for the report, we'll provide an update once we have more information. This is unexpected because the Action should fall back to using the same API you used to fetch a license when it can't find one, but apparently it's not:

$ gh api repos/nodesource/setup-nsolid/dependency-graph/compare/main...5bdec36
[
  {
    "change_type": "added",
    "manifest": ".github/workflows/ci.yaml",
    "ecosystem": "actions",
    "name": "nodesource/setup-nsolid",
    "version": "1.*.*",
    "package_url": "pkg:githubactions/nodesource/setup-nsolid@1.%2A.%2A",
    "license": null,
    "source_repository_url": null,
    "scope": "runtime",
    "vulnerabilities": []
...

For whoever's picking this up: I don't know if the mangled purl field could be having a bad interaction here, or if we need to double check how our license calculation is working.

febuiles avatar Feb 27 '24 14:02 febuiles

@febuiles I have the same issue, ex:

Capture d’écran 2024-03-13 à 07 59 06

Whereas if I download the SBOM via GitHub API I can see:

    {
      "SPDXID": "SPDXRef-maven-com.google.api.grpc-grpc-google-cloud-storage-v2-2.16.0-alpha",
      "name": "maven:com.google.api.grpc:grpc-google-cloud-storage-v2",
      "versionInfo": "2.16.0-alpha",
      "downloadLocation": "NOASSERTION",
      "filesAnalyzed": false,
      "licenseConcluded": "Apache-2.0",
      "supplier": "NOASSERTION",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceLocator": "pkg:maven/com.google.api.grpc/[email protected]",
          "referenceType": "purl"
        }
      ]
    },

Unfortunately using the /dependency-graph API I do have the. license missing too..

  {
    "change_type": "added",
    "manifest": "settings.gradle",
    "ecosystem": "maven",
    "name": "com.google.api.grpc:grpc-google-cloud-storage-v2",
    "version": "2.35.0-alpha",
    "package_url": "pkg:maven/com.google.api.grpc/[email protected]",
    "license": null,
    "source_repository_url": null,
    "scope": "runtime",
    "vulnerabilities": []
  },

panthony avatar Mar 13 '24 07:03 panthony

what means closed as not planned?

riosje avatar Sep 25 '24 01:09 riosje