From 96fc975cc1f0cdce4c69c5b44411a25e543143c4 Mon Sep 17 00:00:00 2001 From: Shahar Harari Date: Wed, 4 Sep 2024 21:44:44 +0300 Subject: [PATCH] add exceptions --- .github/workflows/license-scan.yml | 4 +- .github/workflows/osv-scanner.yml | 1 - osv-scanner.toml | 122 +++++++++++++++++++++++++++++ tools/osv-scanner/config.toml | 3 - 4 files changed, 125 insertions(+), 5 deletions(-) create mode 100644 osv-scanner.toml delete mode 100644 tools/osv-scanner/config.toml diff --git a/.github/workflows/license-scan.yml b/.github/workflows/license-scan.yml index 0dd689b30a3..5055ba7292a 100644 --- a/.github/workflows/license-scan.yml +++ b/.github/workflows/license-scan.yml @@ -26,4 +26,6 @@ jobs: --experimental-licenses=Apache-2.0,BSD-2-Clause,BSD-2-Clause-FreeBSD,BSD-3-Clause,MIT,ISC,Python-2.0,PostgreSQL,X11,Zlib --no-call-analysis=go ./ - continue-on-error: true # TODO remove once all issues are resolved + # TODO remove once github.com/hashicorp/go-getter gets license exception in CNCF or removed from the project + # See https://github.com/cncf/foundation/issues/624 + continue-on-error: true \ No newline at end of file diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml index a2a46feeebe..3e529bb1208 100644 --- a/.github/workflows/osv-scanner.yml +++ b/.github/workflows/osv-scanner.yml @@ -42,7 +42,6 @@ jobs: scan-args: |- --skip-git --recursive - --config=tools/osv-scanner/config.toml --no-call-analysis=go ./ diff --git a/osv-scanner.toml b/osv-scanner.toml new file mode 100644 index 00000000000..aad97310eaf --- /dev/null +++ b/osv-scanner.toml @@ -0,0 +1,122 @@ +[[IgnoredVulns]] +id = "GO-2022-0646" +reason = "No a real issue, just a warning about third party package." + +[[PackageOverrides]] +name = "github.com/AdaLogics/go-fuzz-headers" +version = "0.0.0-20230811130428-ced1acdcaa24" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "Unknown license since package version is missing in pkg.go.dev" + +[[PackageOverrides]] +name = "github.com/asaskevich/govalidator" +version = "0.0.0-20230301143203-a9d515a09cc2" +ecosystem = "Go" +license.override = ["MIT"] +reason = "Unknown license, remove once https://github.com/google/deps.dev/issues/87 is resolved" + +[[PackageOverrides]] +name = "github.com/containers/storage" +version = "1.55.0" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "Unknown license, remove once https://github.com/google/deps.dev/issues/104 is resolved" + +[[PackageOverrides]] +name = "github.com/distribution/distribution/v3" +version = "3.0.0-beta.1" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "Unknown license, remove once https://github.com/google/deps.dev/issues/105 is resolved" + +[[PackageOverrides]] +name = "github.com/docker/go-metrics" +version = "0.0.1" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "This package has dual license - the code is licensed under the Apache 2.0 license and the docs under CC-BY-SA-4.0 license" + +[[PackageOverrides]] +name = "github.com/go-sql-driver/mysql" +version = "1.8.1" +ecosystem = "Go" +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +license.override = ["Apache-2.0"] +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" + +[[PackageOverrides]] +name = "github.com/hashicorp/errwrap" +version = "1.1.0" +ecosystem = "Go" +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +license.override = ["Apache-2.0"] +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" + +[[PackageOverrides]] +name = "github.com/hashicorp/go-cleanhttp" +version = "0.5.2" +ecosystem = "Go" +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +license.override = ["Apache-2.0"] +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" + +[[PackageOverrides]] +name = "github.com/hashicorp/go-multierror" +version = "1.1.1" +ecosystem = "Go" +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +license.override = ["Apache-2.0"] +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" + +[[PackageOverrides]] +name = "github.com/hashicorp/go-version" +version = "1.7.0" +ecosystem = "Go" +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +license.override = ["Apache-2.0"] +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" + +[[PackageOverrides]] +name = "github.com/hashicorp/hcl" +version = "1.0.0" +ecosystem = "Go" +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +license.override = ["Apache-2.0"] +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" + +[[PackageOverrides]] +name = "github.com/moby/patternmatcher" +version = "0.6.0" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "Unknown license, remove once https://github.com/google/deps.dev/issues/106 is resolved" + +[[PackageOverrides]] +name = "github.com/opencontainers/go-digest" +version = "1.0.0" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "This package has dual license - the code is licensed under the Apache 2.0 license and the docs under CC-BY-SA-4.0 license" + +[[PackageOverrides]] +name = "github.com/shoenig/go-m1cpu" +version = "0.1.6" +ecosystem = "Go" +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +license.override = ["Apache-2.0"] +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/cncf-exceptions-2023-08-31.spdx" + +[[PackageOverrides]] +name = "stdlib" +ecosystem = "Go" +license.override = ["BSD-3-Clause"] +reason = "Unknown license, remove once https://github.com/google/deps.dev/issues/86 is resolved" + +[[PackageOverrides]] +name = "github.com/grafana/tempo" +version = "1.5.0" +ecosystem = "Go" +# Override the license to an allowed one until https://github.com/google/osv-scanner/issues/1124 is resolved and we can skip it from licnese scanning instead +license.override = ["Apache-2.0"] +reason = "This package is only used in e2e tests so we can ignore its license" diff --git a/tools/osv-scanner/config.toml b/tools/osv-scanner/config.toml deleted file mode 100644 index a2ffaf40f40..00000000000 --- a/tools/osv-scanner/config.toml +++ /dev/null @@ -1,3 +0,0 @@ -[[IgnoredVulns]] -id = "GO-2022-0646" -reason = "No a real issue, just a warning about third party package."