-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add FOSSA license scan report and status #12023
Conversation
Signed off by: fossabot <[email protected]>
For reference, I thought this was failing due to a build error on FOSSA's side (as it is not building daily despite me setting it that way), but it was actually due to license issues. Getting it to pass required me to "ignore" a handful of license issues that FOSSA found. Basically they were all false positives along the lines of FOSSA seeing GPL and reporting an "issue" without further context (where is it used, dev or prod? is it dual licensed?). 5/6 of the license issues were FOSSA “discovering” a different license in the codebase than "declared" in a dep’s LICENSE file:
The last dep was
I added all those details in the ignore comments on FOSSA as well. |
Also I did have an earlier historical ignore, |
Had a few deps recently flagged that were all MPL. I ignored those with the comment "We do not modify nor relicense code of dependencies. Argo/CNCF is Apache licensed, which is compatible with MPL". Impacted transitive deps were:
|
Most recent false positive was on Go's "This is the Go standard module crypto library. It follows the same license as the rest of Golang. Can also see its license in the linked repo: https://go.googlesource.com/crypto/+/refs/heads/master/LICENSE as well as its mirror on GitHub: https://github.com/golang/crypto/blob/master/LICENSE" EDIT: FOSSA has resolved this now after I flagged it. |
I did also flag all these to FOSSA recently, but for most of them they said they have no "warning" system when something is dual licensed and one of the licenses is compatible, so it will currently always raise a flag 😕
FOSSA staff kindly pointed out that newer
And they removed this false positive from their DB once they realized it was in test data and not prod code |
Ah and |
Your FOSSA integration was successful! Attached in this PR is a badge and license report to track scan status in your README.
Below are docs for integrating FOSSA license checks into your CI: