dependency-review-action icon indicating copy to clipboard operation
dependency-review-action copied to clipboard
verified publisher icon actions

Packages being flagged incorrectly with invalid SPDX license definitions

Open shubhashish-certa opened this issue 1 year ago • 6 comments

Hi, We have 4 dependency packages being upgraded which are using extensive Dual licensing. I have recently updated my config file to accommodate the flagged license identifiers as well. Still we are getting "Invalid SPDX license" for all of them.

Package Version License Issue Type
jmespath 0.16.0 Apache-2.0 AND MIT Invalid SPDX License
pako 1.0.11 MIT AND Zlib Invalid SPDX License
sprintf-js 1.0.3 BSD-3-Clause AND BSD-3-Clause-Clear Invalid SPDX License
stream-buffers 3.0.3 Unlicense Invalid SPDX License

My dependency review workflow looks like this

- name: 'Dependency Review'
  uses: actions/dependency-review-action@v3
  with:
    config-file: 'security-config/dependency-review-config.yml'

My config file has these licenses already allowed:

Allowed Licenses: 
- BSD-2-Clause
- BSD-3-Clause
- MIT
- Apache-2.0
- PSF-2.0
- ISC
- HPND
- CC0-1.0
- 0BSD
- PSF-2.0
- Python-2.0
- WTFPL
- LGPL-3.0
- Apache-2.0 and MIT
- MIT AND Zlib
- BSD-3-Clause AND BSD-3-Clause-Clear
- Unlicense

Additionally, I also checked the license identifiers using license-expression validator but it found no issues with any of the identifiers.

Please provide a prompt reason for the failure as the dependency review workflow is not helping us in resolving this at all.

shubhashish-certa avatar Aug 09 '24 08:08 shubhashish-certa

FYI : @febuiles @jonjanego

shubhashish-certa avatar Aug 09 '24 08:08 shubhashish-certa

Please start with using a current release. The latest is 4.3.4 and you are using v3 which was last updated in January.

We have made some recent improvements to license parsing which might help.

jonjanego avatar Aug 09 '24 14:08 jonjanego

@jonjanego I tried modifying my action to the current release 4.3.4. And now the Invalid SPDX License issue is resolved. However, now I am getting Incompatible License for all the dependencies in my repo, even the basic ones

540 package(s) with incompatible licenses

Package Version License Issue Type
semver 5.7.1 ISC Incompatible License
qs 6.9.3 BSD-3-Clause Incompatible License
braces 3.0.2 MIT Incompatible License
cookiejar 2.1.3 MIT Incompatible License

And so on

shubhashish-certa avatar Aug 09 '24 18:08 shubhashish-certa

FYI: @jonjanego Just wanted to send in so that this is still on track. Upgrading the version to the latest solved the issue of license parsing as you mentioned. However, all the licenses including the common ones like MIT and Apache-2.0 (among the other mentioned in the thread) are rendered as Incompatible License. As a note, these licenses used to work with the older version.

shubhashish-certa avatar Aug 12 '24 19:08 shubhashish-certa

@shubhashish-certa

Version 4.3.4 does not work with invalid license names in the config and since that version, SPDX expression licenses are considered invalid (see: #792).

In short, remove all SPDX expressions from the config, like this:

Allowed Licenses: 
- BSD-2-Clause
- BSD-3-Clause
- MIT
- Apache-2.0
- PSF-2.0
- ISC
- HPND
- CC0-1.0
- 0BSD
- PSF-2.0
- Python-2.0
- WTFPL
- LGPL-3.0
- Unlicense

Note that if you have packages that use SPDX expressions, this will report them as invalid, as support is not yet implemented (see: #263). In that case you need to downgrade to version 4.3.3 where SPDX expressions are handled as exact strings (like you had in your original config).

jtomkiew-mng avatar Aug 13 '24 10:08 jtomkiew-mng

That explains it @jtomkiew-mng thanks!!, both the methods worked, but currently going ahead with downgrading to v4.3.3, since we have multiple dependencies that are dual-licensed.

shubhashish-certa avatar Aug 13 '24 17:08 shubhashish-certa

👋🏼

Did GitHub made progress on license expressions?

I too was forced to stay on the version 4.3.3 of the Action due to the fact most of the dependencies used have multiple licenses, or complex license expressions.

I've heard from our GitHub Account team that something was in the works on the Dependency Review side, and I found https://github.com/github/roadmap/issues/1025 on the public roadmap.

Does anyone has some insider knowledge of what the future will look like for Dependency Review?

Ideally, we would upgrade, unpin version 4.3.3, benefits from all the recent work.

JPLachance avatar Jan 23 '25 16:01 JPLachance

This should be now fixed with PR #916, but there is no tagged version so you have to ref commit https://github.com/actions/dependency-review-action/commit/5a5d4df8ad0dd154e61910cad81fb3bfe8f692ae (IMO safer option anyway):

uses: actions/dependency-review-action@5a5d4df8ad0dd154e61910cad81fb3bfe8f692ae

jtomkiew-mng avatar Apr 25 '25 17:04 jtomkiew-mng

This should be fixed now in v4.7.0.

dangoor avatar May 08 '25 18:05 dangoor