search

actions / dependency-review-action

A GitHub Action for detecting vulnerable dependencies and invalid licenses in your PRs
MIT License
590 stars 99 forks source link

Properly resolve licenses with "OR" expressions #670

Open msalib opened 7 months ago

msalib commented 7 months ago
Package Version License Issue Type
ryu 1.0.16 Apache-2.0 OR BSL-1.0 Incompatible License

We reject the BSL-1.0 license, so I was confused why this Rust crate was getting rejected since it can be licensed under BSL-1.0 or Apache-2.0 which we accept.

febuiles commented 7 months ago

The SPDX expression parser we use is brittle (see https://github.com/actions/dependency-review-action/issues/263). I think moving to something like https://www.npmjs.com/package/@onebeyond/spdx-license-satisfies would provide a better experience and fix the issues with OR. We don't have cycles to test atm, but are happy to collaborate on community contributions.

npushkarskii commented 5 months ago

Hey there, hope this one won't slip through the cracks and be fixed at some point :) Thank you for handling this issue.

febuiles commented 5 months ago

@npushkarskii https://github.com/actions/dependency-review-action/pull/719 might need tweaks, but it fixes this bug. We hope it lands somewhere in the next week or two.

If you want to start testing it today and help us get feedback you can add uses: actions/dependency-review-action@change-spdx-parser in your worfklow file until the PR and the new version (probably v5) are merged/released.

npushkarskii commented 5 months ago

@febuiles only managed to see your comment now, sorry for the delay.

Thank you for all the info, my colleagues and I will try to play with the pre-release version you mentioned; if we get to it, I'll let you know about the results in this PR! Thank you again for your help.

npushkarskii commented 3 months ago

@febuiles Hey there, unfortunately, at our company we didn't have a chance to test a pre-release version of this action due to security policies. Sorry that I got back to you with such a delay.

Hence, I just hope that this PR will be merged anytime soon so that we'll have a new release with the fixed bug 🤞🤞 Thank you!

febuiles commented 3 months ago

cc @jonjanego

npushkarskii commented 3 weeks ago

Hey there, me again :) Any chances to see this one merged anytime soon? @febuiles

I see that the version 4.3.4 partially resolves the issue, but I'm not sure if it helped in my case 🥹

Anyway, thank you for working on that and let me know if I can be of any help (even though my ability to help appeared to be extremely limited)

febuiles commented 3 weeks ago

@npushkarskii I'm not up to date with the latest PRs, maybe @jonjanego or others can provide some guidance here.