Policy violation: Library fails incorrectly on audit

[AfshinOnline]

Incorrect Policy violation: On Audit libraries that do not have a permissive license are supposed to fail. This includes libraries that do not have MIT and Apache etc licenses. However many libraries WITH permissive licenses fail and show up in the audit as a policy. violation.

Setting the correct license under view details: component details: legal: license also fails to update and throws an error intermittently.

Current Behavior:

Incorrect Policy violation for libraries.

Steps to Reproduce:

Create a policy to fail based on license type eg Permissive license group:

Dozens of Libraries that should pass the audit because they are permissive fail:

One example:

Expected Behavior:

The library does not appear as a policy violation

Environment:

• Dependency-Track Version: latest
• Distribution: [ Docker | Executable WAR | Traditional WAR ] Docker
• BOM Format & Version: CycloneDX
• Database Server: [ H2 | MSSQL | MySQL | PostgreSQL ] H2
• Browser: Chrome

Additional Details:

Occurs with different CycloneDX libraries in different languages.

[nscuro]

Can you please provide more details about the components? Sharing the entire BOM that you imported into DT would be even more helpful.

What license is reported by GitHub is irrelevant for DT, it only ingests what you provide to it in your BOM. If it's a .NET project, perhaps you used cyclonedx-dotnet? If the license is incorrectly detected, you may want to raise an issue in that tool's repo: https://github.com/CycloneDX/cyclonedx-dotnet