Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting/overwriting license for a dependency #814

Closed
ststroppel opened this issue Feb 21, 2024 · 13 comments
Closed

Setting/overwriting license for a dependency #814

ststroppel opened this issue Feb 21, 2024 · 13 comments
Labels
enhancement New feature or request

Comments

@ststroppel
Copy link

Hi,
I've been exploring the new experimental license scanning feature and find it quite impressive. However, I believe there's a crucial functionality that seems to be missing - the ability to specify the license for a dependency.

During my testing of this feature in our npm repository, I encountered several dependencies where the license information could not be detected due to various reasons:

  • The license is not properly specified, resulting in the license being resolved as UNKNOWN. An example of this is khroma, where the dependency license is declared as a MIT but it was not retrieved correctly. I suspect the necessary information is missing within the package.json.
  • The dependency is published under two or more licenses, requiring the user to select the appropriate one. type-fest is an example of this scenario.

Therefore, I propose the addition of a feature that allows users to manually set or overwrite the detected license of a dependency, optionally for a specific version or a version range.
@another-rex another-rex added the enhancement New feature or request label Feb 22, 2024
@oliverchang
Copy link
Collaborator

CC @josieang

@arkodg
Copy link

arkodg commented Apr 15, 2024

also interested in adopting the license scanning feature in Envoy Gateway, and this issue is stopping us from adopting it at this moment, more in envoyproxy/gateway#2917

@oliverchang
Copy link
Collaborator

Thanks for the feedback all!

What would be the most convenient way for you to set this information?

@ststroppel
Copy link
Author

Thanks @oliverchang for coming back to this topic. For me, definitely a config file would be the most convenient way to set it. There are several advantages for this approach:

  • The configuration is stored in the repository and versioned
  • Additionally, we could specify some version range as the declared license of a package could change with major releases
  • The entries could be enriched by additional meta information like who approved the license and why (e.g. we have a commercial license for the package, that's why license abc is the correct one to be used)

@oliverchang
Copy link
Collaborator

@josieang (who added the license scanning feature initially) would you have some time to help with implementing this? It would also be a great opportunity to look at moving the feature out of experimental.

@josieang
Copy link
Collaborator

josieang commented Apr 17, 2024
edited
Loading

Thanks everyone for feedback on the license scanning feature! Sorry for missing this thread. I'll have time to work on this in early May.

You may have already seen it, but we have a "How are licenses determined?" section at https://docs.deps.dev/faq which explains briefly our license provenance.

@ststroppel Just curious:

Additionally, we could specify some version range as the declared license of a package could change with major releases

Why only be cautious about license changes only when major version bumps happen? Why not track any license changes for any version bump?

@ststroppel
Copy link
Author

@josieang

Why only be cautious about license changes only when major version bumps happen? Why not track any license changes for any version bump?

How do you want to track the license changes? I was rather thinking about a quite dumb overwrite of a components license.
E.g. if the package is dual licensed or the resolved license is UNKNOWN, I would select the appropriate license. In any case it could happen that a license of a package changes. I would say this happens mostly for major releases, but this is up to the user of the tool to decide e.g. by optionally providing a version range. If you need to set the license for every minor update of a package, this is quite tedious work where I personally would accept the risk that I would not detect a license change of the package if it would be changed as part of a patch release.

But I'm open to better ideas.

@shahar-h
Copy link

@ststroppel license can also be changed on minor update, e.g. terraform. In theory it can also be changed on patch update, although I don't think it's a real case. See related discussion: semver/semver#322.
Anyway, I think that users should be able to configure license override for either major/minor/patch versions of a given dependency.

@josieang
Copy link
Collaborator

Hm, that's an interesting point giving users the option to override on major, minor or patch makes sense to me.

From experience at deps.dev many ecosystems don't fully follow semver and parsing versions properly can be pretty ecosystem-specific.

It's likely guided remediation has needed to figure out how to parse versions, I will chat to @michaelkedar when he gets back from leave. But as a draft PR I'll do something pretty simple like spliting on ..

@G-Rath
Copy link
Collaborator

G-Rath commented Apr 26, 2024

@josieang I might be able to help with that too if you like - I had to understand how each versions work in each ecosystem as part of creating semantic.

That package will probably already have the info you need in order to do the comparisons, it just might not expose them (yet)

@josieang josieang mentioned this issue Apr 26, 2024
Merged
@oliverchang
Copy link
Collaborator

oliverchang commented May 1, 2024
edited
Loading

@shahar-h #949 seems related to this -- Could the same configuration mechanism be used to handle edge cases like multiple-license vs choice-of-license?

@shahar-h
Copy link

shahar-h commented May 2, 2024

@shahar-h #949 seems related to this -- Could the same configuration mechanism be used to handle edge cases like multiple-license vs choice-of-license?

I guess that you should add an override configuration that chooses the desired license in these cases.

josieang added a commit that referenced this issue Jun 6, 2024
@josieang
implement filtering by packages through the config (#944)
6d0e29e 
I'd like feedback on the config yaml schema, the filter message and it's
behaviour if the version is empty (it filters any version of that
package).

This is in response to #814
@another-rex another-rex mentioned this issue Jun 20, 2024
Merged
another-rex added a commit that referenced this issue Jun 20, 2024
@another-rex
Add documentation for the configuration. (#1051)
62fedd4 
Add documentation for the newly added config package override feature
#814
@another-rex
Copy link
Collaborator

This is now possible with the new configuration option in #944. Feel free to reopen if this does not satisfy your use case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@oliverchang @G-Rath @arkodg @shahar-h @ststroppel @josieang @another-rex