search

cds-snc / covid-alert-server

Exposure Notification: Diagnosis Server implementation / Notification d’exposition : Mise en œuvre du serveur de diagnostic
Apache License 2.0
298 stars 31 forks source link

Investigate impact of MPL 2.0 Licenses in included modules. #353

Closed CalvinRodo closed 3 years ago

CalvinRodo commented 3 years ago

Snyk has identified some MPL 2.0 Licenses as a vulnerability we need to identify the impact of this licenses in our project.

https://tldrlegal.com/license/mozilla-public-license-2.0-(mpl-2) https://spdx.org/licenses/MPL-2.0.html

Detailed paths

Introduced through: github.com/cds-snc/covid-alert-server@0.0.0 › github.com/go-sql-driver/mysql@1.5.0 Introduced through: github.com/cds-snc/covid-alert-server@0.0.0 › github.com/spf13/viper@1.7.0 › github.com/hashicorp/hcl@1.0.0 Introduced through: github.com/cds-snc/covid-alert-server@0.0.0 › github.com/spf13/viper@1.7.0 › github.com/hashicorp/hcl/hcl/printer@1.0.0 Introduced through: github.com/cds-snc/covid-alert-server@0.0.0 › github.com/spf13/viper@1.7.0 › github.com/hashicorp/hcl@1.0.0 › github.com/hashicorp/hcl/json/parser@1.0.0 Introduced through: github.com/cds-snc/covid-alert-server@0.0.0 › github.com/spf13/viper@1.7.0 › github.com/hashicorp/hcl@1.0.0 › github.com/hashicorp/hcl/hcl/ast@1.0.0 Introduced through: github.com/cds-snc/covid-alert-server@0.0.0 › github.com/spf13/viper@1.7.0 › github.com/hashicorp/hcl/hcl/printer@1.0.0 › github.com/hashicorp/hcl/hcl/ast@1.0.0 Introduced through: github.com/cds-snc/covid-alert-server@0.0.0 › github.com/spf13/viper@1.7.0 › github.com/hashicorp/hcl@1.0.0 › github.com/hashicorp/hcl/hcl/parser@1.0.0 Introduced through: github.com/cds-snc/covid-alert-server@0.0.0 › github.com/spf13/viper@1.7.0 › github.com/hashicorp/hcl/hcl/printer@1.0.0 › github.com/hashicorp/hcl/hcl/parser@1.0.0 Introduced through: github.com/cds-snc/covid-alert-server@0.0.0 › github.com/spf13/viper@1.7.0 › github.com/hashicorp/hcl@1.0.0 › github.com/hashicorp/hcl/hcl/token@1.0.0 Introduced through: github.com/cds-snc/covid-alert-server@0.0.0 › github.com/spf13/viper@1.7.0 › github.com/hashicorp/hcl/hcl/printer@1.0.0 › github.com/hashicorp/hcl/hcl/token@1.0.0 Introduced through: github.com/cds-snc/covid-alert-server@0.0.0 › github.com/spf13/viper@1.7.0 › github.com/hashicorp/hcl@1.0.0 › github.com/hashicorp/hcl/json/parser@1.0.0 › github.com/hashicorp/hcl/json/scanner@1.0.0 Introduced through: github.com/cds-snc/covid-alert-server@0.0.0 › github.com/spf13/viper@1.7.0 › github.com/hashicorp/hcl/hcl/printer@1.0.0 › github.com/hashicorp/hcl/hcl/parser@1.0.0 › github.com/hashicorp/hcl/hcl/scanner@1.0.0 Introduced through: github.com/cds-snc/covid-alert-server@0.0.0 › github.com/spf13/viper@1.7.0 › github.com/hashicorp/hcl/hcl/printer@1.0.0 › github.com/hashicorp/hcl/hcl/token@1.0.0 › github.com/hashicorp/hcl/hcl/strconv@1.0.0 Introduced through: github.com/cds-snc/covid-alert-server@0.0.0 › github.com/spf13/viper@1.7.0 › github.com/hashicorp/hcl@1.0.0 › github.com/hashicorp/hcl/json/parser@1.0.0 › github.com/hashicorp/hcl/hcl/ast@1.0.0 Introduced through: github.com/cds-snc/covid-alert-server@0.0.0 › github.com/spf13/viper@1.7.0 › github.com/hashicorp/hcl/hcl/printer@1.0.0 › github.com/hashicorp/hcl/hcl/parser@1.0.0 › github.com/hashicorp/hcl/hcl/ast@1.0.0 Introduced through: github.com/cds-snc/covid-alert-server@0.0.0 › github.com/spf13/viper@1.7.0 › github.com/hashicorp/hcl/hcl/printer@1.0.0 › github.com/hashicorp/hcl/hcl/parser@1.0.0 › github.com/hashicorp/hcl/hcl/token@1.0.0 Introduced through: github.com/cds-snc/covid-alert-server@0.0.0 › github.com/spf13/viper@1.7.0 › github.com/hashicorp/hcl@1.0.0 › github.com/hashicorp/hcl/json/parser@1.0.0 › github.com/hashicorp/hcl/hcl/token@1.0.0 Introduced through: github.com/cds-snc/covid-alert-server@0.0.0 › github.com/spf13/viper@1.7.0 › github.com/hashicorp/hcl@1.0.0 › github.com/hashicorp/hcl/json/parser@1.0.0 › github.com/hashicorp/hcl/json/token@1.0.0 Introduced through: github.com/cds-snc/covid-alert-server@0.0.0 › github.com/spf13/viper@1.7.0 › github.com/hashicorp/hcl/hcl/printer@1.0.0 › github.com/hashicorp/hcl/hcl/parser@1.0.0 › github.com/hashicorp/hcl/hcl/ast@1.0.0 › github.com/hashicorp/hcl/hcl/token@1.0.0 Introduced through: github.com/cds-snc/covid-alert-server@0.0.0 › github.com/spf13/viper@1.7.0 › github.com/hashicorp/hcl@1.0.0 › github.com/hashicorp/hcl/json/parser@1.0.0 › github.com/hashicorp/hcl/json/token@1.0.0 › github.com/hashicorp/hcl/hcl/token@1.0.0 Introduced through: github.com/cds-snc/covid-alert-server@0.0.0 › github.com/spf13/viper@1.7.0 › github.com/hashicorp/hcl/hcl/printer@1.0.0 › github.com/hashicorp/hcl/hcl/parser@1.0.0 › github.com/hashicorp/hcl/hcl/scanner@1.0.0 › github.com/hashicorp/hcl/hcl/token@1.0.0 Introduced through: github.com/cds-snc/covid-alert-server@0.0.0 › github.com/spf13/viper@1.7.0 › github.com/hashicorp/hcl@1.0.0 › github.com/hashicorp/hcl/json/parser@1.0.0 › github.com/hashicorp/hcl/json/scanner@1.0.0 › github.com/hashicorp/hcl/json/token@1.0.0

CalvinRodo commented 3 years ago

We are compliant with MPL 2.0 since we aren't modifying our dependencies we don't have to license under MPL 2.0 and since we aren't distributing an executable we don't have to distribute MPL 2.0 license with it.

This may change if we go on a public Container Registry.

I'm looking to ignore Snyk Warnings through a .snyk file have to wait for a response from Snyk support before I do this.

CalvinRodo commented 3 years ago

Analysis is done closing in favour of mitigation issue #354