New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for packages with multiple licenses #263
Comments
The latest release ( I'm leaving the bug report open until |
Hello! I do have a very similar issue. We have a long Do we have an ETA? |
@JPLachance we can't proceed until jslicense/spdx-satisfies.js#14 is fixed upstream. All ears if you have suggestions on how to improve the parsing of SPDX expressions! |
GitHub created multiple tools to bring security into everyone's CI in the past few years. The Dependency Review action is part of the "Supply chain security" tool chain sold under the banner of GitHub Advanced Security. GitHub is collecting hundreds of thousands of dollars per year selling GitHub Advanced Security. So now, are you telling us that we are blocked by an almost year old issue in a repository that has only 4 contributors and for which the last commit was on May 9, 2021, 2 years ago? I mean, fork it at this point 😅 I'll open yet another support case to GitHub if required to make things move. |
@JPLachance Your excitement regarding the project is very motivating, thank you for your comment! It sounds like this issue is problematic for you as an Advanced Security customer (FOSS projects get GHAS for free), and in that case I think the best way to move forward is to open a support ticket, that'll help this type of work get prioritized. |
Any updates on this issue? We are using many packages which uses multiple licenses. Since this is a paid service, can we expect any timeline to fix it? |
HI @prakyathr thank you for following up on this. Could you clarify, do you mean you're using packages that use multiple licenses? |
Hi @jonjanego , you are right. I meant packages that uses multiple licenses. I fixed the typo in the comment above as well. Anyway, will it be fixed soon? |
@prakyathr Thanks for clarifying! We're going to look into this and will share an update when we have more information on next steps. |
One of the packages we're importing has multiple licenses based on dependent projects. The Github dependency-graph API returns all 3 licenses. We have each of the 3 licenses in our
allow-list
, but because this is a single string response, it's failing the dependency review.Response from the depency-graph API:
Proposal
For a situation like this, the action would parse the license field and use the operator (AND) to check that all 3 licenses are in our allow-list. I can see the possibility of a dual-licensed package including an
OR
(e.g.:CC-BY-4.0 OR MIT
) and so we'd want to use the operator (AND or OR) to validate against theallow-list
ordeny-list
appropriately.Thanks for your consideration!
The text was updated successfully, but these errors were encountered: