OSS License not properly indicated for v12.2785.0

bridgecrewio / checkov-action

This GitHub Action runs Checkov against infrastructure-as-code, open source packages, container images, and CI/CD configurations to identify misconfigurations, vulnerabilities, and license compliance issues.

Apache License 2.0

240 stars 101 forks source link

OSS License not properly indicated for v12.2785.0 #176

Open ethankent opened 3 months ago

ethankent commented 3 months ago

A license scan using Github's dependency review action indicates:

Package Version License Issue Type

bridgecrewio/checkov-action d3328add8f0c9461fb3fe0739296f1cee85f7c2b Null Unknown License

Package	Version	License	Issue Type
bridgecrewio/checkov-action	d3328add8f0c9461fb3fe0739296f1cee85f7c2b	Null	Unknown License

Additionally, there is no license badge showing on the Marketplace page

I suspect a particular form field needs to get filled out when publishing.

tsmithv11 commented 3 months ago

Hi @ethankent, this repository has a license (Apache 2), so this seems like a limitation of GitHub's dependency review. Do you have an example of one that does show the proper license? I would say that we have the proper license in place, so this is not a priority for us.

ethankent commented 2 months ago

Hi @tsmithv11, thanks for the reply. Everything I see in this repository seems to indicate that the license is configured. So, I don't believe there's a problem on the repo itself. However, the license badge does seem to be missing on the Marketplace page, so possibly there's a gap in the publishing process.

If it helps, I can tell you that I see a similar action in the marketplace that doesn't have any problems with the dependency review action. It's called Trivy & I can see that it has a license badge showing correctly.