Open nibiwodong opened 2 years ago
stevespringett
commented
2 years ago Currently dependency-track does not support multiple licenses. This enhancement is being tracked in #170. Once implemented, policy evaluation can be enhanced to support this use case.
rkg-mm
commented
2 years ago How do you even see that field? I just wanted to report a bug about the license displaying and was looking through open issues, finding this one, which surprises me:
Also using version 4.3.6. Is this a bug or did I misconfigure something?
software-testing-professional
commented
2 years ago We are using Dependency-Track mainly for OSS license clearing.
And currently we are also facing this issue. Components are showing any (single!) of the detected licenses, if there are more than one. Ramdomly.
This is a complete showstopper for our use case: OSS license clearing. Because license-related issues opened by policies are misleading in most cases.
To give a litte context: We are using Tern (Docker images) and ORT (source code) for license scanning. And CycloneDX-CLI for BOM merging. After all scans are complete, we upload a merged SBOM to Dependency-Track.
I can see in the raw scanner output, that licenses are detected correctly. But Dependency-Track is obviously picking any of the licenses. Shows them in the UI. And applies policies to it, which then raise WARN or ERROR messages.
Is there any (quick'n'dirty) fix for that? Some way to focus on declared licenses? Modify the CycloneDX BOM and remove detected licenses?
This is super-important for us at the moment... :fearful:
Regards, Michael
stevespringett
commented
2 years ago @software-testing-professional Without seeing the BOMs in question, declared licenses should always be present in component -> licenses whereas observed licenses should always be stated in component -> evidence -> licenses.
If your BOMs states something different, please report the issue to the project.
Currently,. Dependency-Track only supports a single license per component, and in most cases, this works fine. Dependency-Track currently does not support evidence of observed licenses or observed copyright, and will ignore any data in those fields.
software-testing-professional
commented
2 years ago Hello @stevespringett. Thank you for your quick response. And for the clarification regarding CycloneDX.
A component in the CycloneDX BOM (created with ORT) looks like this.
{
"group": "ch.qos.logback",
"name": "logback-classic",
"version": "1.2.11",
"description": "logback-classic module",
"scope": "required",
"licenses": [
{
"license": {
"id": "EPL-1.0",
"text": {
"encoding": "base64",
"contentType": "plain/text",
"content": ""
}
}
},
{
"license": {
"id": "LGPL-2.1-or-later",
"text": {
"encoding": "base64",
"contentType": "plain/text",
"content": ""
}
}
},
{
"license": {
"id": "Apache-2.0",
"text": {
"encoding": "base64",
"contentType": "plain/text",
"content": ""
}
}
},
{
"license": {
"id": "CC-BY-NC-SA-2.5",
"text": {
"encoding": "base64",
"contentType": "plain/text",
"content": ""
}
}
},
{
"license": {
"id": "EPL-1.0",
"text": {
"encoding": "base64",
"contentType": "plain/text",
"content": ""
}
}
},
{
"license": {
"id": "GPL-1.0-or-later",
"text": {
"encoding": "base64",
"contentType": "plain/text",
"content": ""
}
}
},
{
"license": {
"id": "LGPL-2.0-or-later",
"text": {
"encoding": "base64",
"contentType": "plain/text",
"content": ""
}
}
},
{
"license": {
"id": "LGPL-2.1-only",
"text": {
"encoding": "base64",
"contentType": "plain/text",
"content": ""
}
}
},
{
"license": {
"name": "LicenseRef-scancode-arm-llvm-sga",
"text": {
"encoding": "base64",
"contentType": "plain/text",
"content": ""
}
}
},
{
"license": {
"name": "LicenseRef-scancode-generic-cla"
}
},
{
"license": {
"name": "LicenseRef-scancode-iso-8879",
"text": {
"encoding": "base64",
"contentType": "plain/text",
"content": ""
}
}
},
{
"license": {
"name": "LicenseRef-scancode-unknown"
}
},
{
"license": {
"name": "LicenseRef-scancode-unknown-license-reference"
}
},
{
"license": {
"id": "MIT",
"text": {
"encoding": "base64",
"contentType": "plain/text",
"content": ""
}
}
}
],
"copyright": "Copyright (c) 1998-2002 W3C (MIT, INRIA, Keio), Copyright (c) 1999-2005 QOS.ch, LOGBack.com, Copyright (c) 1999-2022 QOS.ch, Copyright (c) 2006 Google Inc., Copyright (c) 2017 http://www.qos.ch/'> QOS.ch, Portions (c) International Organization",
"purl": "pkg:maven/ch.qos.logback/logback-classic@1.2.11",
"modified": false,
"externalReferences": [
{
"type": "website",
"url": "http://logback.qos.ch/logback-classic"
}
],
"type": "library"
}
It's 14 licenses in total. The example file I found on Github / OSS Review Toolkit has a corresponding structure, with multiple licenses per component. https://raw.githubusercontent.com/oss-review-toolkit/ort/main/reporter/src/funTest/assets/cyclonedx-reporter-expected-result.json
Like shown in the screenshots above, the Component > Show Details page does not show a license. But the Policy Violations tab seems to pick any of the licenses.
In case of logback-classic, the correct (=declared) license would be LGPL-2.1-or-later.
This was correctly identified by ORT Analyzer.
"package" : {
"id" : "Maven:ch.qos.logback:logback-classic:1.2.11",
"purl" : "pkg:maven/ch.qos.logback/logback-classic@1.2.11",
"authors" : [ "Ceki Gulcu", "Joern Huxhorn", "QOS.ch" ],
"declared_licenses" : [ "Eclipse Public License - v 1.0", "GNU Lesser General Public License" ],
"declared_licenses_processed" : {
"spdx_expression" : "EPL-1.0 OR LGPL-2.1-or-later",
"mapped" : {
"Eclipse Public License - v 1.0" : "EPL-1.0",
"GNU Lesser General Public License" : "LGPL-2.1-or-later"
}
}The following ORT task scan seems to file any additional detected license under components > licenses, instead of components > evidence > licenses.
Coming from that structure, I understand that Dependency-Track can't see which license was declared by the project.
software-testing-professional
commented
2 years ago Besides, if i generate the CycloneDX as XML, it does at least distinguish between declared and detected licenses.
<@type>library</@type><group>ch.qos.logback</group><name>logback-classic</name><version>1.2.11</version><description>logback-classic module</description><scope>required</scope><licenses>
<license>
<id>EPL-1.0</id>
<ort:origin xmlns:ort="http://www.w3.org/1999/xhtml">declared license</ort:origin>
</license>
<license>
<id>LGPL-2.1-or-later</id>
<ort:origin xmlns:ort="http://www.w3.org/1999/xhtml">declared license</ort:origin>
</license>
<license>
<id>Apache-2.0</id>
<ort:origin xmlns:ort="http://www.w3.org/1999/xhtml">detected license</ort:origin>
</license>
<license>
<id>CC-BY-NC-SA-2.5</id>
<ort:origin xmlns:ort="http://www.w3.org/1999/xhtml">detected license</ort:origin>
</license>
<license>
<id>EPL-1.0</id>
<ort:origin xmlns:ort="http://www.w3.org/1999/xhtml">detected license</ort:origin>
</license>
<license>
<id>GPL-1.0-or-later</id>
<ort:origin xmlns:ort="http://www.w3.org/1999/xhtml">detected license</ort:origin>
</license>
<license>
<id>LGPL-2.0-or-later</id>
<ort:origin xmlns:ort="http://www.w3.org/1999/xhtml">detected license</ort:origin>
</license>
<license>
<id>LGPL-2.1-only</id>
<ort:origin xmlns:ort="http://www.w3.org/1999/xhtml">detected license</ort:origin>
</license>
<license>
<name>LicenseRef-scancode-arm-llvm-sga</name>
<ort:origin xmlns:ort="http://www.w3.org/1999/xhtml">detected license</ort:origin>
</license>
<license>
<name>LicenseRef-scancode-generic-cla</name>
<ort:origin xmlns:ort="http://www.w3.org/1999/xhtml">detected license</ort:origin>
</license>
<license>
<name>LicenseRef-scancode-iso-8879</name>
<ort:origin xmlns:ort="http://www.w3.org/1999/xhtml">detected license</ort:origin>
</license>
<license>
<name>LicenseRef-scancode-unknown</name>
<ort:origin xmlns:ort="http://www.w3.org/1999/xhtml">detected license</ort:origin>
</license>
<license>
<name>LicenseRef-scancode-unknown-license-reference</name>
<ort:origin xmlns:ort="http://www.w3.org/1999/xhtml">detected license</ort:origin>
</license>
<license>
<id>MIT</id>
<ort:origin xmlns:ort="http://www.w3.org/1999/xhtml">detected license</ort:origin>
</license>
</licenses><copyright>Copyright (c) 1998-2002 W3C (MIT, INRIA, Keio), Copyright (c) 1999-2005 QOS.ch, LOGBack.com, Copyright (c) 1999-2022 QOS.ch, Copyright (c) 2006 Google Inc., Copyright (c) 2017 http://www.qos.ch/'> QOS.ch, Portions (c) International Organization</copyright><purl>pkg:maven/ch.qos.logback/logback-classic@1.2.11</purl><modified>false</modified><externalReferences>
<reference type="website">
<url>http://logback.qos.ch/logback-classic</url>
</reference>
</externalReferences><ort:dependencyType xmlns:ort="http://www.w3.org/1999/xhtml">transitive</ort:dependencyType>
Dependency-Track shows this component as MIT, which is one of the detected licenses.
So like you described above, these observed (detected) licenses are in the wrong place.
Moving all detected licenses to the evidence section (with jq or so) might be an approach.
At least there is no information loss, as all the information are preserved.
Supporting more than one license per component would nevertheless be a very desirable feature in Dependency-Track. :smiley:
The defect may already be reported! Please search for the defect before creating one.
Current Behavior:
amqp-client use three licenses: MPL2.0 Apache 2.0 GPL2.0 https://github.com/rabbitmq/rabbitmq-java-client/blob/main/LICENSE
Steps to Reproduce:
Expected Behavior:
Policy Violations table should display three licenses:Apache2.0 MPL2.0 and GPL2.0
Environment:
Additional Details:
(e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. stackoverflow, gitter, etc)