Failure to determine license and flag to explicitly deny unknown licenses #672
Comments
wmmc88
changed the title
jonjanego
added
enhancement
|
For the specific reproduction PR you gave, I wasn't able to reproduce the issue in a test repository with the same
So it looks like that part may have been a transient issue on our end. On the topic of adding a fail-on-unknown-license option - I'll keep this issue open for tracking that. |
|
#714 also suggests the value of failing on unknown. |
|
The example we have run into is with this github action, Docker Scout. Clearly not an SPDX license type, so I am not saying that I would expect a different result from the dependency review action, but the ability to (a) fail when unknown and (b) possibly allow for this specific dependency to pass once the team determines it is OK to include would be nice. |
|
@jonjanego would you accept a community PR to address this? |
|
@sreya we'd definitely take a look at it! |
I think a flag to explicitly deny unknown licenses is still warranted.
The following run fails to be able to detect the license of anstyle:
https://github.com/wmmc88/windows-drivers-rs/actions/runs/7632001216/job/20791223328?pr=18
I am unsure why this is the case since the license is available here.
In any case, I still think there should be a y to fail the job if unknown license is encountered. There are situations where you wont catch this in PR comments (ex. if triggered on push, or if triggered on PR from a fork)
Originally posted by @wmmc88 in #264 (comment)
The text was updated successfully, but these errors were encountered: