search

actions / dependency-review-action

A GitHub Action for detecting vulnerable dependencies and invalid licenses in your PRs
MIT License
616 stars 107 forks source link

Adding a license in 'allow-dependencies-licenses' does not prevent it from being populated in "invalid-license-changes" #764

Open sreya opened 7 months ago

sreya commented 7 months ago

My expectation is that adding a license to allow-dependencies-licenses should prevent it from being populated in the invalid-license-changes output however that doesn't seem to be the case with the action below. Is this a bug or are my expectations for the output incorrect? If I misunderstood, how do I manually approve unlicensed packages so that they do not fail the job

  dependency-license-review:
    runs-on: ubuntu-latest
    if: github.ref != 'refs/heads/main'
    steps:
      - name: "Checkout Repository"
        uses: actions/checkout@v4
      - name: "Dependency Review"
        id: review
        # TODO: Replace this with the latest release once https://github.com/actions/dependency-review-action/pull/761 is merged.
        uses: actions/dependency-review-action@49fbbe0acb033b7824f26d00b005d7d598d76301
        with:
          allow-licenses: Apache-2.0, BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC, MIT, MIT-0, MPL-2.0
          allow-dependencies-licenses: "pkg:golang/github.com/pelletier/go-toml/v2, pkg:golang/gopkg.in/DataDog/dd-trace-go.v1@1.63.1"
          license-check: true
          vulnerability-check: false
      - name: "Report"
        # make sure this step runs even if the previous failed
        if: always()
        shell: bash
        env:
          VULNERABLE_CHANGES: ${{ steps.review.outputs.invalid-license-changes }}
        run: |
          fields=( "unlicensed" "unresolved" "forbidden" )
          for field in "${fields[@]}"; do
            # Use jq to check if the array is not empty
            if [[ $(echo "$VULNERABLE_CHANGES" | jq ".${field} | length") -ne 0 ]]; then
              echo "$VULNERABLE_CHANGES" | jq
              exit 1
            fi
          done
          echo "No incompatible licenses detected"
{
  "unlicensed": [
    {
      "change_type": "added",
      "manifest": "go.mod",
      "ecosystem": "gomod",
      "name": "gopkg.in/DataDog/dd-trace-go.v1",
      "version": "1.63.1",
      "package_url": "pkg:golang/gopkg.in/DataDog/dd-trace-go.v1@1.63.1",
      "license": null,
      "source_repository_url": null,
      "scope": "runtime",
      "vulnerabilities": []
    }
  ],
  "unresolved": [],
  "forbidden": []
}
juxtin commented 7 months ago

Hi @sreya, thanks for the report. At first glance, it looks like the problem is that some of these package-urls technically violate the spec so they aren't being parsed as one might expect.

According to the purl-spec, the "name" segment must be a percent-encoded string. In your case, that means you should have:

where %2f is the percent encoding of /.

I think this will probably fix your issue. At the same time, I agree that this is kind of an annoying aspect of the purl spec, so I've also created https://github.com/actions/dependency-review-action/pull/765 to make our parser a little more permissive.

sreya commented 6 months ago

Hi @juxtin I'm still receiving an error when updating to your commit 🤔 . I even tried url encoding to no avail...here's the output/workflow file:

  dependency-license-review:
    runs-on: ubuntu-latest
    if: github.ref != 'refs/heads/main'
    steps:
      - name: "Checkout Repository"
        uses: actions/checkout@v4
      - name: "Dependency Review"
        id: review
        # TODO: Replace this with the latest release once https://github.com/actions/dependency-review-action/pull/761 is merged.
        uses: actions/dependency-review-action@82ab8f69c78827a746628706b5d2c3f87231fd4c
        with:
          allow-licenses: Apache-2.0, BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC, MIT, MIT-0, MPL-2.0
          allow-dependencies-licenses: "pkg:golang/github.com/pelletier/go-toml/v2,pkg:golang/gopkg.in/DataDog%2fdd-trace-go.v1@1.63.1"
          license-check: true
          vulnerability-check: false
      - name: "Report"
        # make sure this step runs even if the previous failed
        if: always()
        shell: bash
        env:
          VULNERABLE_CHANGES: ${{ steps.review.outputs.invalid-license-changes }}
        run: |
          fields=( "unlicensed" "unresolved" "forbidden" )
          for field in "${fields[@]}"; do
            # Use jq to check if the array is not empty
            if [[ $(echo "$VULNERABLE_CHANGES" | jq ".${field} | length") -ne 0 ]]; then
              echo "$VULNERABLE_CHANGES" | jq
              exit 1
            fi
          done
          echo "No incompatible licenses detected"

{
  "unlicensed": [
    {
      "change_type": "added",
      "manifest": "go.mod",
      "ecosystem": "gomod",
      "name": "gopkg.in/DataDog/dd-trace-go.v1",
      "version": "1.63.1",
      "package_url": "pkg:golang/gopkg.in/DataDog/dd-trace-go.v1@1.63.1",
      "license": null,
      "source_repository_url": null,
      "scope": "runtime",
      "vulnerabilities": []
    }
  ],
  "unresolved": [],
  "forbidden": []
}
spikecurtis commented 6 months ago

Poking through the code, it looks like exclusions are processed by parsing the "package_url": https://github.com/actions/dependency-review-action/blob/339e2e1bfc0e9334ee554fd4dcfd5f611f94ec14/src/licenses.ts#L48

In the above case, the package URL from gomod is "pkg:golang/gopkg.in/DataDog/dd-trace-go.v1@1.63.1" which does not have the slashes escaped. So, shouldn't the list of packages we want to ignore follow the same format (even if it's ambiguous vs the spec)?

Either way, I can't convince it to ignore packages, escaping the / or not.

sreya commented 5 months ago

Hi @juxtin any update here? Mainly wondering if there's a workaround we can use

juxtin commented 5 months ago

Apologies everyone, it looks like we still have a discrepancy somewhere in how we represent or parse Go purls somewhere. We'll have to dig into this a bit more to narrow that down.

sreya commented 4 months ago

Just an update I found another purl that doesn't appear to work:

      - name: "Dependency Review"
        id: review
        uses: actions/dependency-review-action@v4.3.2
        with:
          allow-licenses: Apache-2.0, 0BSD, BSD-2-Clause, BSD-3-Clause, CC0-1.0, ISC, MIT, MIT-0, MPL-2.0
          allow-dependencies-licenses: "pkg:golang/github.com/coder/wgtunnel@0.1.13-0.20240522110300-ade90dfb2da0, pkg:npm/pako@1.0.11, pkg:npm/caniuse-lite@1.0.30001639, pkg:githubactions/alwaysmeticulous/report-diffs-action/cloud-compute"
          license-check: true
          vulnerability-check: false

Still returns an unknown 

    VULNERABLE_CHANGES: {"unlicensed":[{"change_type":"added","manifest":".github/workflows/ci.yaml","ecosystem":"actions","name":"alwaysmeticulous/report-diffs-action/cloud-compute","version":"1.*.*","package_url":"pkg:githubactions/alwaysmeticulous/report-diffs-action/cloud-compute@1.%2A.%2A","license":null,"source_repository_url":null,"scope":"runtime","vulnerabilities":[]}],"unresolved":[],"forbidden":[]}