Closed oallauddin closed 1 year ago
Hi @oallauddin! Thank you for the ticket. Unfortunately, right now we can't implement adding custom licenses due to flaws in the Xray API. Currently, using API, the user can add a random string as the name of the license. Even if this custom license is not added to the list of licenses in the Xray settings. This fact can trigger unexpected behavior later, so we can't remove the field verification against the list of available licenses. Also, Xray API doesn't have a call to get the list of licenses, this is a manual update.
@danielmkn
Below is how I pulled the list of licenses.
curl --user username:password https://artifactory.server/ui/api/v1/xray/ui/licensesNames --output xray_licenses.json
Here are the requirements before you can implement. Correct? Then we need to open a feature request with JFrog. 1) JFrog needs to expose this as a public api 2) JFrog has to to add a validation to the Name and Full Name to the of license
Yeah, I know you can pull it with the UI call, but we can't do it in the provider, we only can use public APIs. Your requirements are correct, I can open the tickets for these features.
@oallauddin, I've created a feature request to add a public API to get a list of licenses in Xray. I'll update you here with the status.
Hi @oallauddin, unfortunately, the internal ticket (allowing to add custom licenses) is marked as won't fix
, so we will have to manually update the list of available licenses from time to time. Allowing users to add custom licenses without verification can lead to unpredictable behavior, which we'd like to avoid.
@danielmkn Can you share the ticket number for this request to JFrog? I want to get our DevOps team to ask JFrog for an update.
Hi @oallauddin!
XRAY-12224 - Public API to get a list of licenses
XRAY-12225 - No license verification on Create License Policy call
Also, I've removed the verification from the attributes banned_licenses
and allowed_licenses
in 1.14.0 after confirmation from the Xray team that it won't break anything.
This way you can use any string in the license name, at least some mitigation.
Describe the bug License policy that includes manually added licenses is not working. The list of licenses in Xray was not up to date with SPDX . So I manually added the licenses for AGPL-1.0-only and AGPL-1.0-or-later following the documentation. terraform plan threw errors indicating that AGPL-1.0-only and AGPL-1.0-or-later were not valid.
Example
Errors Errors list out all of the default licenses. Seems like the manually added licenses are not included in this list for validation. List is cropped to reduce the amount of scrolling.
Versions Artifactory version: 7.35.2 Xray version: 3.32.2 Terraform version: 1.2.5 Provider version: 1.5.1
Expected behavior License policy will be created when the list of allowed licenses includes default licenses and manually added licenses.
Screenshots