feat: update licenses to including custom content when SPDX expressions are unable to be determined #3366
Conversation
Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
…available. Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
…tion in order to avoid incompatibilities (and multiple instances of the same license). Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]> # Conflicts: # internal/licenses/parser.go
Signed-off-by: HeyeOpenSource <[email protected]>
HeyeOpenSource
changed the title
Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
…tic analysis. Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
github-actions
bot
added
json-schema
This reverts commit beda1b6. Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
This reverts commit 9b90378. Signed-off-by: HeyeOpenSource <[email protected]>
Signed-off-by: HeyeOpenSource <[email protected]>
HeyeOpenSource
force-pushed
the
Custom_Licenses
branch
from
7a98f3a to
3e546de
Compare
| @@ -29,6 +29,7 @@ type License struct { | |||
| Type license.Type | |||
| URLs []string `hash:"ignore"` | |||
| Locations file.LocationSet `hash:"ignore"` | |||
| Contents string `hash:"ignore"` // The optional binary contents of the license file | |||
There was a problem hiding this comment.
If we add support for this we should make this configurable. It could be a simple on/off (collect or do not collect contents) but there is some argument for more options here. Specifically, when we can get the ID from contents and we have a high degree of confidence that it matches then including the contents is redundant / not necessary (one of multiple possible middle of the road options).
I think the default for this option should either be "off" or the middle of the road option.
There was a problem hiding this comment.
My implementation only ever fills the Contents field if a non-empty file identified as potential license file (by name) exists and no SPDX-expression can be determined for it with the required confidence.
Otherwise the status quo implementation is retained.
Hence I would assume that the option as you describe it is currently "middle of the road" by default. 😉
There was a problem hiding this comment.
I would advocate for a later implementation of the configurability, as my current implementation mitigates the fact, that packages with an identified (but non-SPDX-expression-compatible) license file will be erroneously handled as unlicensed. (cf. #3412)
|
The Validations workflow finally throws no more errors at me. 👍 |
HeyeOpenSource
changed the title
…icenses # Conflicts: # syft/format/common/spdxhelpers/to_format_model.go
# Conflicts: # syft/format/internal/cyclonedxutil/helpers/licenses.go
* main: (54 commits) chore(deps): update CPE dictionary index (anchore#3620) chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.8.0 to 4.8.1 (anchore#3621) chore(deps): bump github/codeql-action from 3.28.4 to 3.28.5 (anchore#3622) chore(deps): bump github/codeql-action from 3.28.3 to 3.28.4 (anchore#3618) chore(deps): bump anchore/sbom-action from 0.17.9 to 0.18.0 (anchore#3619) chore(deps): update tools to latest versions (anchore#3607) chore(deps): bump github/codeql-action from 3.28.2 to 3.28.3 (anchore#3608) chore(deps): bump github.com/go-git/go-git/v5 from 5.13.1 to 5.13.2 (anchore#3609) chore(deps): bump github.com/docker/docker (anchore#3610) chore(deps): bump actions/setup-go in /.github/actions/bootstrap (anchore#3612) chore(deps): bump actions/cache in /.github/actions/bootstrap (anchore#3613) chore(ci): fix composite GitHub action path in dependabot config (anchore#3611) chore(deps): update tools to latest versions (anchore#3602) chore(deps): bump github/codeql-action from 3.28.1 to 3.28.2 (anchore#3604) chore(deps): bump github.com/hashicorp/hcl/v2 from 2.22.0 to 2.23.0 (anchore#3605) chore(deps): bump github.com/aquasecurity/go-pep440-version (anchore#3606) chore: bump stereoscope to v0.0.13 (anchore#3601) feat(cataloger): add a terraform provider cataloger (anchore#3378) chore(deps): update tools to latest versions (anchore#3597) chore(deps): update CPE dictionary index (anchore#3599) ... Signed-off-by: Christopher Phillips <[email protected]>
Signed-off-by: Christopher Phillips <[email protected]>
|
Warning Detected modification or removal of existing json schemas:
|
|
rebased and pull in upstream main - I'll work through the CI, add my review, and add @wagoodman's requested functionality about contents configuration. Thanks for the contribution @HeyeOpenSource! Sorry this one has taken a little while. |
Signed-off-by: Christopher Phillips <[email protected]>
Signed-off-by: Christopher Phillips <[email protected]>
|
PR looks great! Adding some new tests around the format model changes to double check behavior and will merge 👍 After reading the behavior again I agree with @HeyeOpenSource that we don't need to make contents configurable as they are only exposed when a valid license ID can not be determined by the scanner. I'll make sure to update the documentation in syft to express this mutually exclusive behavior. Apologies for breaking the tests using |
spiffcs
changed the title
Signed-off-by: Christopher Phillips <[email protected]>
Description
Implements support for custom licenses.
Should probably be reviewed by @wagoodman and / or @spiffcs.
Type of change
Checklist:
make testlocally without receiving any failures