dependency-review-action icon indicating copy to clipboard operation
dependency-review-action copied to clipboard
verified publisher icon actions

Deprecate the deny-licenses option - dicussion

Open nicorikken opened this issue 3 months ago • 2 comments

Now that the original issue #938 page no longer loads because it is present in all the pull requests, I suggest to have the in-depth discussion here in this issue, because I think it is a very important discussion:

I'll start with an opinion: a license deny list is a bad idea. A company using one would put copyleft licenses like GPL-2.0 in there, potentially missing other copyleft licenses like CC-BY-SA-4.0 or maybe they would forget to also add GPL-3.0. Additionally, it's easy to miss commercial licenses like Elastic which could be a problem for some users. This is even more an issue now that ClearlyDefined includes more license identifiers than ever before. A deny list provides very limited risk reduction.

Up until recently, DRA did not provide the tools necessary to remediate failures. The most important remediation is the ability to say "I've reviewed this package and it's fine", and DRA could do that, but only if the license was a valid license expression. Recent DRA releases check if a package is on the allow-dependencies-licenses list first, so it can pass even if there's an invalid license.

We should deprecate the deny list option in a 4.x release in preparation for an eventual 5.x release that removes it. It would be interesting to see if we have feedback that comes out in favor of deny lists and provides some justification as to why our product should support it.

nicorikken avatar Oct 09 '25 14:10 nicorikken

In theory only a allow-list is better. In practice there are so many packages with missing or incorrect license information that you want to tackle the process from both sides. For my organizations we use all features (allow and deny licenses and allow and deny packages) to correct for missing and incorrect licenses information and to correct for incorrect handling of SPDX identifier by this Action. The path forward I see is to amend dependency information before running this Action. GitHub does not provide such a feature. I think GitHub Advanced Security will even less appealing when the deny-licenses is removed because it pushes users to a compliance process outside of GitHub, removing the need for this Action.

nicorikken avatar Oct 09 '25 14:10 nicorikken

Thanks for bumping this @nicorikken - I had thought that we avoided the linkspam with the change in #974 but ... I guess that syntax also auto links.

ahpook avatar Oct 09 '25 21:10 ahpook