Unknown License but license available via github API #704

riosje · 2024-02-27T14:30:45Z

Hello guys I'm facing issues using this action in one of my workflows because it always mark my action with unknown license despite to have the license properly configured everywhere.

This is the action returning the issue
https://github.com/nodesource/setup-nsolid

This is a RUN with the issue
https://github.com/nodesource/setup-nsolid/actions/runs/8065465089

This is the Workflow I'm testing
https://github.com/nodesource/setup-nsolid/blob/jeff/fixdepreview/.github/workflows/dependency-review.yaml

This is the license the Github API returns
gh api /repos/nodesource/setup-nsolid/license | jq -r .license

{
  "key": "mit",
  "name": "MIT License",
  "spdx_id": "MIT",
  "url": "https://api.github.com/licenses/mit",
  "node_id": "MDc6TGljZW5zZTEz"
}

this is a pipeline to repro the issue

name: 'Dependency Review'
on: [pull_request]

permissions:
  contents: read

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v4
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v4

The text was updated successfully, but these errors were encountered:

febuiles · 2024-02-27T14:46:04Z

@riosje Thanks for the report, we'll provide an update once we have more information. This is unexpected because the Action should fall back to using the same API you used to fetch a license when it can't find one, but apparently it's not:

$ gh api repos/nodesource/setup-nsolid/dependency-graph/compare/main...5bdec36
[
  {
    "change_type": "added",
    "manifest": ".github/workflows/ci.yaml",
    "ecosystem": "actions",
    "name": "nodesource/setup-nsolid",
    "version": "1.*.*",
    "package_url": "pkg:githubactions/nodesource/setup-nsolid@1.%2A.%2A",
    "license": null,
    "source_repository_url": null,
    "scope": "runtime",
    "vulnerabilities": []
...

For whoever's picking this up: I don't know if the mangled purl field could be having a bad interaction here, or if we need to double check how our license calculation is working.

panthony · 2024-03-13T07:06:18Z

@febuiles I have the same issue, ex:

Whereas if I download the SBOM via GitHub API I can see:

    {
      "SPDXID": "SPDXRef-maven-com.google.api.grpc-grpc-google-cloud-storage-v2-2.16.0-alpha",
      "name": "maven:com.google.api.grpc:grpc-google-cloud-storage-v2",
      "versionInfo": "2.16.0-alpha",
      "downloadLocation": "NOASSERTION",
      "filesAnalyzed": false,
      "licenseConcluded": "Apache-2.0",
      "supplier": "NOASSERTION",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceLocator": "pkg:maven/com.google.api.grpc/grpc-google-cloud-storage-v2@2.16.0-alpha",
          "referenceType": "purl"
        }
      ]
    },

Unfortunately using the /dependency-graph API I do have the. license missing too..

  {
    "change_type": "added",
    "manifest": "settings.gradle",
    "ecosystem": "maven",
    "name": "com.google.api.grpc:grpc-google-cloud-storage-v2",
    "version": "2.35.0-alpha",
    "package_url": "pkg:maven/com.google.api.grpc/grpc-google-cloud-storage-v2@2.35.0-alpha",
    "license": null,
    "source_repository_url": null,
    "scope": "runtime",
    "vulnerabilities": []
  },

jonjanego added the bug Something isn't working label Feb 27, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unknown License but license available via github API #704

Unknown License but license available via github API #704

riosje commented Feb 27, 2024

febuiles commented Feb 27, 2024

panthony commented Mar 13, 2024

Unknown License but license available via github API #704

Unknown License but license available via github API #704

Comments

riosje commented Feb 27, 2024

febuiles commented Feb 27, 2024

panthony commented Mar 13, 2024