Closed HaGGi13 closed 5 months ago
GFlisch
commented
5 months ago Hi @HaGGi13,
I am starting to work on this. It was indeed an information received also by a bot.
I will work for the next preview and let you know about that so you can validate it also.
Thanks for the valuable issue.
GFlisch
commented
5 months ago Hi @HaGGi13 , can you check the packages publish Arc4u 8.2.0-preview20. They should fix the issue. Add a readme file also. Let me know.
HaGGi13
commented
5 months ago @GFlisch + @rdarko - please reference issues you work on in commits, merge requests or at least close it if it was solved. I just saw now after your comment that the issue was already fixed before I even started to work on it. By doing so, everyone is aware of an issue's state and knows if it was already solved and will not invest any time and work in addition. Thanks.
I just checked Arc4u.Standard and saw that it seems to be fine by now. In addition I saw you changed the license to MIT too.
For documentation/comparison, here is v8.2.0-preview20 with correct license reference:
... and here v8.2.0-preview18 with the "broken" one:
Is your feature request related to a problem? Please describe.
As software architect and DevOps architect I'm very interested in to provide the security department, my lead architect, my project manager all needed project insights/information they need to know that they can do their job in the best way.
One part of the deal is to provide them security scan results which contain a list of used packages (incl. their dependencies) and their license.
For sure, I have to take care of by myself which packages to use depending on their license too. This is easy to see on fetching those from a package management systems like nuget.org, JFrog, ProGet etc.
Unfortunately, I stumbled about that the Arc4u libraries are not referencing to any valid kind of license as I scanned my project for vulnerabilities and created SBOM reports.
I figured this out by checking the Arc4u.Standard package's
*.nuspecfile that is part of each NuGet package by default.NuGet.org can handle the referenced license file, but does not display it on the page itself, neither other systems do.
The
*.nuspecfile specification provides two fields for that, whereby one of these is deprecated and should not be used anymore.licenseUrl(deprecated | MSDoc article)license(supported with NuGet 4.9.0 | MSDoc article)Instead of the
licensefield defining a valid license type, its value is simplyLICENSE. Furthermore, the deprecated fieldlicenseUrlhas a value that gives the information, that this field is deprecated, whereby this is formatted like an URL (https://aka.ms/deprecateLicenseUrl) that redirects on visit to a MSDocs article.Describe the solution you'd like
All Arc4u NuGet packages define a valid license type, so that any package management-, SBOM- or vulnerability scanner system can parse and display it properly.
Meaning, the
*.nuspecfile's fieldlicenseis correctly used by adding the package's license type, which is indeed a valid license and its attributetypeis not used too.Furthermore, it's avoided to use the deprecated field
licenseUrl-- so it's deleted.For more details about the
*.nuspecfile, please read its reference.Describe alternatives you've considered
Instead of using well-defined/clean defined
*.nuspecfiles for NuGet package creation, it's possible to use package metadata fields within the package project file (*.csproj).In concrete, this would be the field
PackageLicenseExpressionthat contains the license name.For more details, please read the NuGet package guidance's chapter "Important NuGet package metadata".
- OR -
Keep it as-is, but exchange the field's
licensevalue according the license that is used. Meaning, for license Apache 2.0 this field will contain the license codeApache-2.0.Additional context
Below you will find examples of how systems display the license values in the user interface.
On NuGet.org, the LICENSE file is linked:
But the license is not resolved like on other packages, for instance
System.IO.Abstractions:In another package management system it's handled the same way NuGet.org does:
In following screenshot the aforementioned fields were marked. This was made from the
*.nuspecfile that is contained in the NuGet packageArc4u.Standard v5.0.11.2: