search

anchore / grant

Search an SBOM for licenses and the packages they belong to
Apache License 2.0
59 stars 3 forks source link

No way to deny all licenses while allowing specific ones #101

Open tapanagupta opened 1 month ago

tapanagupta commented 1 month ago

Hello,

I'm trying to create a .grant.yaml config file that would achieve the following behavior: Deny all licenses except for the ones that have corresponding 'allow' rules in .grant.yaml.

First, I tried to specify allow rules for specific licenses, as shown below, expecting that non-matching licenses would be denied. However, the resulting output allowed ALL licenses. 

#.grant.yaml
config: ".grant.yaml"
format: json # table, json
show-packages: true # show the packages which contain the licenses --show-packages
non-spdx: true # list only licenses that could not be matched to an SPDX identifier --non-spdx
osi-approved: true # highlight licenses that are not OSI approved --osi-approved
rules: 
    - pattern: "LGPL"
      name: "allow-lgpl"
      mode: "allow"
      reason: "LGPL is good."

Next, I tried to specify a 'deny all' rule alongside the allow rule, but this time ALL licenses were denied.

#.grant.yaml
config: ".grant.yaml"
format: json # table, json
show-packages: true # show the packages which contain the licenses --show-packages
non-spdx: true # list only licenses that could not be matched to an SPDX identifier --non-spdx
osi-approved: true # highlight licenses that are not OSI approved --osi-approved
rules:
    - pattern: "LGPL"
      name: "allow-lgpl"
      mode: "allow"
      reason: "LGPL is good."
    - pattern: "**"
      name: "deny-all"
      mode: "deny"
      reason: "Deny everything by default."

Below is the command used for running the tests (SBOM from Syft fed as input):

grant check -o json syft.spdx-json.json | jq > grant.json

In general, from my testing, I observed that when Grant is supplied with a config file, it allows all licenses by default, but when not supplied with a config file, it denies all licenses by default.

From the Grant documentation:

Grant can be used to deny specific licenses while allowing all others. It can also be used to allow specific licenses, denying all others.

Question is, how do I achieve the latter, i.e. allow specific licenses while denying all others? Thank you for looking into this issue.

spiffcs commented 1 month ago

Thanks @tapanagupta! I'll take a look at this right away because this is definitely not behaving as expected. ** should be a valid rule - does * also fail for your as well?

Here is our integration test for denial on an empty config: https://github.com/anchore/grant/blob/main/test/cli/check_test.go

I'll get this fleshed out with your case and a bit more cases so this feature is behaving as expected.

tapanagupta commented 1 month ago

Thanks for looking into this, @spiffcs! To answer your question, I ran a test using * instead of ** and got the same result.

Looking forward to further updates on this.

willpxxr commented 1 month ago

Looks like only denies have been implemented per https://github.com/anchore/grant/blob/260752c11c540d11451e255affb68bc44b42a866/grant/policy.go#L54

There is also a comment above in the policy struct w/ a todo for that feature

https://github.com/anchore/grant/blob/260752c11c540d11451e255affb68bc44b42a866/grant/policy.go#L10

So it looks like it's not possible to implement a deny by default and allow list licenses right now.