search

actions / dependency-review-action

A GitHub Action for detecting vulnerable dependencies and invalid licenses in your PRs
MIT License
588 stars 100 forks source link

[BUG] unexpected addition of `AND NOASSERTION` to license when updating pywin32-ctypes #818

Open altendky opened 3 weeks ago

altendky commented 3 weeks ago

Describe the bug

When updating to pypi/pywin32-ctypes@0.2.3 from 0.2.2 the license is identified as BSD-3-Clause AND NOASSERTION instead of BSD-3-Clause. The NOASSERTION is causing an unwanted failure.

I have looked at the repo (https://github.com/enthought/pywin32-ctypes/compare/v0.2.2..v0.2.3) and I am unclear what is triggering the new AND NOASSERTION. I also looked at the wheels on PyPI and did not identify any seemingly relevant changes around the license metadata or file.

To Reproduce

https://github.com/Chia-Network/chia-blockchain/pull/18497

https://github.com/Chia-Network/chia-blockchain/actions/runs/10457582039/job/28957737729?pr=18497#step:3:23

##[debug]Filtered Changes: [{"change_type":"added","manifest":"poetry.lock","ecosystem":"pip","name":"pywin32-ctypes","version":"0.2.3","package_url":"pkg:pypi/pywin32-ctypes@0.2.3","license":"BSD-3-Clause AND NOASSERTION","source_repository_url":"https://github.com/enthought/pywin32-ctypes","scope":"runtime","vulnerabilities":[]},{"change_type":"removed","manifest":"poetry.lock","ecosystem":"pip","name":"pywin32-ctypes","version":"0.2.2","package_url":"pkg:pypi/pywin32-ctypes@0.2.2","license":"BSD-3-Clause","source_repository_url":"https://github.com/enthought/pywin32-ctypes","scope":"runtime","vulnerabilities":[]}]

Expected behavior No change to the license is noted and it is accepted.

Screenshots If applicable, add screenshots to help explain your problem.

Action version What version of the action are you using in your workflow?

latest v4

elrayle commented 3 weeks ago

@altendky 👋 I wanted to give you an update. We are looking into the license data and process to understand why you are seeing the AND NOASSERTION. I, or someone else on the team, will give you an update once I've looked at the process that brought this in.

dolorsfg commented 2 weeks ago

Similar issue here for another dependency: The validity of the licenses of the dependencies below could not be determined. Ensure that they are valid SPDX licenses: pom.xml » org.springframework.data:spring-data-jpa@3.3.3 – License: Apache-2.0 AND NOASSERTION Error: Dependency review could not detect the validity of all licenses.

https://github.com/dolorsfg/proves/actions/runs/10561223320