search

jfrog / terraform-provider-xray

Terraform provider to manage JFrog Xray
https://jfrog.com/xray/
Apache License 2.0
149 stars 12 forks source link

License policy with manually added licenses #74

Closed oallauddin closed 1 year ago

oallauddin commented 2 years ago

Describe the bug License policy that includes manually added licenses is not working. The list of licenses in Xray was not up to date with SPDX . So I manually added the licenses for AGPL-1.0-only and AGPL-1.0-or-later following the documentation. terraform plan threw errors indicating that AGPL-1.0-only and AGPL-1.0-or-later were not valid.

Example

resource "xray_license_policy" "kc_license_policy" {
  name        = "xray-license-policy"
  description = "Xray License Policy"
  type        = "license"
  project_key = "test"

  rule {
    name     = "xray-license-rule"
    priority = 1

    criteria {
      allowed_licenses         = ["AGPL-1.0-only", "AGPL-1.0-or-later"]
      allow_unknown            = false
      multi_license_permissive = true
    }

    actions {
      webhooks                          = []
      mails                             = []
      block_release_bundle_distribution = false
      fail_build                        = false
      notify_watch_recipients           = false
      notify_deployer                   = false
      create_ticket_enabled             = false // set to true only if Jira integration is enabled
      custom_severity                   = "High"
      //build_failure_grace_period_in_days = 5     // use only if fail_build is enabled

      block_download {
        unscanned = false
        active    = false
      }
    }
  }
}

Errors Errors list out all of the default licenses. Seems like the manually added licenses are not included in this list for validation. List is cropped to reduce the amount of scrolling. 

Error: expected allowed_licenses to be one of [0BSD AAL Abstyles Adobe-2006 Adobe-Glyph ADSL AFL-1.1 AFL-1.2 AFL-2.0 AFL-2.1 AFL-3.0 Afmparse AGPL-1.0 AGPL-3.0 AGPL-3.0-only AGPL-3.0-or-later Aladdin AMDPLPA AML AMPAS ANTLR-PD Apache-1.0 Apache-1.1 Apache-2.0 APAFML APL-1.0 APSL-1.0 APSL-1.1 APSL-1.2 APSL-2.0 Artistic-1.0 Artistic-1.0-cl8 Artistic-1.0-Perl Artistic-2.0 ... UPL-1.0 Vim VIM License wxWindows X11 Xerox XFree86-1.1 Zimbra-1.4 ZLIB Zlib zlib-acknowledgement ZPL-1.1 ZPL-2.0 ZPL-2.1], got AGPL-1.0-or-later
Error: expected allowed_licenses to be one of [0BSD AAL Abstyles Adobe-2006 Adobe-Glyph ADSL AFL-1.1 AFL-1.2 AFL-2.0 AFL-2.1 AFL-3.0 Afmparse AGPL-1.0 AGPL-3.0 AGPL-3.0-only AGPL-3.0-or-later Aladdin AMDPLPA AML AMPAS ANTLR-PD Apache-1.0 Apache-1.1 Apache-2.0 APAFML APL-1.0 APSL-1.0 APSL-1.1 APSL-1.2 APSL-2.0 Artistic-1.0 Artistic-1.0-cl8 Artistic-1.0-Perl Artistic-2.0 ... UPL-1.0 Vim VIM License wxWindows X11 Xerox XFree86-1.1  Zimbra-1.4 ZLIB Zlib zlib-acknowledgement ZPL-1.1 ZPL-2.0 ZPL-2.1], got AGPL-1.0-only

Versions Artifactory version: 7.35.2 Xray version: 3.32.2 Terraform version: 1.2.5 Provider version: 1.5.1

Expected behavior License policy will be created when the list of allowed licenses includes default licenses and manually added licenses.

Screenshots AGPL-1 0-licenses AGPL-1 0-or-later AGPL-1 0-only

danielmkn commented 2 years ago

Hi @oallauddin! Thank you for the ticket. Unfortunately, right now we can't implement adding custom licenses due to flaws in the Xray API. Currently, using API, the user can add a random string as the name of the license. Even if this custom license is not added to the list of licenses in the Xray settings. This fact can trigger unexpected behavior later, so we can't remove the field verification against the list of available licenses. Also, Xray API doesn't have a call to get the list of licenses, this is a manual update.

oallauddin commented 2 years ago

@danielmkn Below is how I pulled the list of licenses. curl --user username:password https://artifactory.server/ui/api/v1/xray/ui/licensesNames --output xray_licenses.json

Here are the requirements before you can implement. Correct? Then we need to open a feature request with JFrog. 1) JFrog needs to expose this as a public api 2) JFrog has to to add a validation to the Name and Full Name to the of license

danielmkn commented 2 years ago

Yeah, I know you can pull it with the UI call, but we can't do it in the provider, we only can use public APIs. Your requirements are correct, I can open the tickets for these features.

danielmkn commented 2 years ago

@oallauddin, I've created a feature request to add a public API to get a list of licenses in Xray. I'll update you here with the status.

danielmkn commented 1 year ago

Hi @oallauddin, unfortunately, the internal ticket (allowing to add custom licenses) is marked as won't fix, so we will have to manually update the list of available licenses from time to time. Allowing users to add custom licenses without verification can lead to unpredictable behavior, which we'd like to avoid.

oallauddin commented 1 year ago

@danielmkn Can you share the ticket number for this request to JFrog? I want to get our DevOps team to ask JFrog for an update.

danielmkn commented 1 year ago

Hi @oallauddin! XRAY-12224 - Public API to get a list of licenses XRAY-12225 - No license verification on Create License Policy call Also, I've removed the verification from the attributes banned_licenses and allowed_licenses in 1.14.0 after confirmation from the Xray team that it won't break anything. This way you can use any string in the license name, at least some mitigation.