Skip to content

Commit

Permalink
add exceptions
Browse files Browse the repository at this point in the history
  • Loading branch information
shahar-h committed Sep 4, 2024
1 parent 24cccc9 commit 96fc975
Show file tree
Hide file tree
Showing 4 changed files with 125 additions and 5 deletions.
4 changes: 3 additions & 1 deletion .github/workflows/license-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,4 +26,6 @@ jobs:
--experimental-licenses=Apache-2.0,BSD-2-Clause,BSD-2-Clause-FreeBSD,BSD-3-Clause,MIT,ISC,Python-2.0,PostgreSQL,X11,Zlib
--no-call-analysis=go
./
continue-on-error: true # TODO remove once all issues are resolved
# TODO remove once github.com/hashicorp/go-getter gets license exception in CNCF or removed from the project
# See https://github.com/cncf/foundation/issues/624
continue-on-error: true
1 change: 0 additions & 1 deletion .github/workflows/osv-scanner.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,6 @@ jobs:
scan-args: |-
--skip-git
--recursive
--config=tools/osv-scanner/config.toml
--no-call-analysis=go
./
122 changes: 122 additions & 0 deletions osv-scanner.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
[[IgnoredVulns]]
id = "GO-2022-0646"
reason = "No a real issue, just a warning about third party package."

[[PackageOverrides]]
name = "github.com/AdaLogics/go-fuzz-headers"
version = "0.0.0-20230811130428-ced1acdcaa24"
ecosystem = "Go"
license.override = ["Apache-2.0"]
reason = "Unknown license since package version is missing in pkg.go.dev"

[[PackageOverrides]]
name = "github.com/asaskevich/govalidator"
version = "0.0.0-20230301143203-a9d515a09cc2"
ecosystem = "Go"
license.override = ["MIT"]
reason = "Unknown license, remove once https://github.com/google/deps.dev/issues/87 is resolved"

[[PackageOverrides]]
name = "github.com/containers/storage"
version = "1.55.0"
ecosystem = "Go"
license.override = ["Apache-2.0"]
reason = "Unknown license, remove once https://github.com/google/deps.dev/issues/104 is resolved"

[[PackageOverrides]]
name = "github.com/distribution/distribution/v3"
version = "3.0.0-beta.1"
ecosystem = "Go"
license.override = ["Apache-2.0"]
reason = "Unknown license, remove once https://github.com/google/deps.dev/issues/105 is resolved"

[[PackageOverrides]]
name = "github.com/docker/go-metrics"
version = "0.0.1"
ecosystem = "Go"
license.override = ["Apache-2.0"]
reason = "This package has dual license - the code is licensed under the Apache 2.0 license and the docs under CC-BY-SA-4.0 license"

[[PackageOverrides]]
name = "github.com/go-sql-driver/mysql"
version = "1.8.1"
ecosystem = "Go"
# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead
license.override = ["Apache-2.0"]
reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv"

[[PackageOverrides]]
name = "github.com/hashicorp/errwrap"
version = "1.1.0"
ecosystem = "Go"
# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead
license.override = ["Apache-2.0"]
reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv"

[[PackageOverrides]]
name = "github.com/hashicorp/go-cleanhttp"
version = "0.5.2"
ecosystem = "Go"
# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead
license.override = ["Apache-2.0"]
reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv"

[[PackageOverrides]]
name = "github.com/hashicorp/go-multierror"
version = "1.1.1"
ecosystem = "Go"
# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead
license.override = ["Apache-2.0"]
reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv"

[[PackageOverrides]]
name = "github.com/hashicorp/go-version"
version = "1.7.0"
ecosystem = "Go"
# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead
license.override = ["Apache-2.0"]
reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv"

[[PackageOverrides]]
name = "github.com/hashicorp/hcl"
version = "1.0.0"
ecosystem = "Go"
# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead
license.override = ["Apache-2.0"]
reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv"

[[PackageOverrides]]
name = "github.com/moby/patternmatcher"
version = "0.6.0"
ecosystem = "Go"
license.override = ["Apache-2.0"]
reason = "Unknown license, remove once https://github.com/google/deps.dev/issues/106 is resolved"

[[PackageOverrides]]
name = "github.com/opencontainers/go-digest"
version = "1.0.0"
ecosystem = "Go"
license.override = ["Apache-2.0"]
reason = "This package has dual license - the code is licensed under the Apache 2.0 license and the docs under CC-BY-SA-4.0 license"

[[PackageOverrides]]
name = "github.com/shoenig/go-m1cpu"
version = "0.1.6"
ecosystem = "Go"
# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead
license.override = ["Apache-2.0"]
reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/cncf-exceptions-2023-08-31.spdx"

[[PackageOverrides]]
name = "stdlib"
ecosystem = "Go"
license.override = ["BSD-3-Clause"]
reason = "Unknown license, remove once https://github.com/google/deps.dev/issues/86 is resolved"

[[PackageOverrides]]
name = "github.com/grafana/tempo"
version = "1.5.0"
ecosystem = "Go"
# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead
license.override = ["Apache-2.0"]
reason = "This package is only used in e2e tests so we can ignore its license"
3 changes: 0 additions & 3 deletions tools/osv-scanner/config.toml

This file was deleted.

0 comments on commit 96fc975

Please sign in to comment.