Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecated SPDX license (GFDL* and BSD-2-Clause-NetBSD) #1179

Closed
vargenau opened this issue Aug 26, 2022 · 2 comments · Fixed by #1263
Closed

Deprecated SPDX license (GFDL* and BSD-2-Clause-NetBSD) #1179

vargenau opened this issue Aug 26, 2022 · 2 comments · Fixed by #1263
Labels
bug Something isn't working

Comments

@vargenau
Copy link
Contributor

What happened:

This is a follow-up of #950.
The GPL family has been solved, but not all deprecated licenses. Please check the whole list of deprecated licenses at https://spdx.org/licenses/#Deprecated%20License%20Identifiers

What you expected to happen:

"GFDL-1.1" should be replaced by "GFDL-1.1-only"
"GFDL-1.2" should be replaced by "GFDL-1.2-only"
"GFDL-1.3" should be replaced by "GFDL-1.3-only"
"GFDL-1.1+" should be replaced by "GFDL-1.1-or-later"
"GFDL-1.2+" should be replaced by "GFDL-1.2-or-later"
"GFDL-1.3+" should be replaced by "GFDL-1.3-or-later"
"BSD-2-Clause-NetBSD " should be replaced by "BSD-2-Clause"

How to reproduce it (as minimally and precisely as possible):

syft docker:apache/airflow:2.3.0b1-python3.10 -o spdx-tag-value > airflow-syft-0.54.0.spdx

Anything else we need to know?:

Environment:

  • Output of syft version:
Application:        syft
Version:            0.54.0
JsonSchemaVersion:  3.3.2
BuildDate:          2022-08-17T18:56:00Z
GitCommit:          21eb77206020c04c9ca5316562e32179c73926a9
GitDescription:     v0.54.0
Platform:           linux/amd64
GoVersion:          go1.18.5
Compiler:           gc
  • OS (e.g: cat /etc/os-release or similar):
PRETTY_NAME="Ubuntu 22.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.1 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
@vargenau vargenau added the bug Something isn't working label Aug 26, 2022
@vargenau vargenau changed the title Deprecated SPDX license (GPL-2.0+) Deprecated SPDX license (GFDL* and BSD-2-Clause-NetBSD) Aug 26, 2022
@spiffcs spiffcs added this to OSS Aug 29, 2022
@spiffcs spiffcs moved this to Parking Lot (Comments or Progress) in OSS Oct 6, 2022
@vargenau
Copy link
Contributor Author

I have create a new pull request #1263 to fix this.

All deprecated licenses should be replaced, except the ones that must be replaced with a WITH:

  • "GPL-2.0-with-autoconf-exception",
  • "GPL-2.0-with-bison-exception",
  • "GPL-2.0-with-classpath-exception",
  • "GPL-2.0-with-font-exception",
  • "GPL-2.0-with-GCC-exception",
  • "GPL-3.0-with-autoconf-exception",
  • "GPL-3.0-with-GCC-exception".

I do not think it is possible to do it with the current implementation, as the replacement is not a license, but a license with an exception.

Some hacks needed until the licenses.json file is updated.
See spdx/license-list-XML#1676

@wagoodman
Copy link
Contributor

Thanks for your time on this @vargenau . Taking a look at #950 (comment) it seems like it works pretty well, however, there are exceptions to the proposed deprecation-mapping ruleset that was done in #1009 .

Take for example a GFDL license:

    {
      "reference": "https://spdx.org/licenses/GFDL-1.2.html",
      "isDeprecatedLicenseId": true,
      "detailsUrl": "https://spdx.org/licenses/GFDL-1.2.json",
      "referenceNumber": 397,
      "name": "GNU Free Documentation License v1.2",
      "licenseId": "GFDL-1.2",
      "seeAlso": [
        "https://www.gnu.org/licenses/old-licenses/fdl-1.2.txt"
      ],
      "isOsiApproved": false,
      "isFsfLibre": true
    },

and

    {
      "reference": "https://spdx.org/licenses/GFDL-1.2-only.html",
      "isDeprecatedLicenseId": false,
      "detailsUrl": "https://spdx.org/licenses/GFDL-1.2-only.json",
      "referenceNumber": 224,
      "name": "GNU Free Documentation License v1.2 only",
      "licenseId": "GFDL-1.2-only",
      "seeAlso": [
        "https://www.gnu.org/licenses/old-licenses/fdl-1.2.txt"
      ],
      "isOsiApproved": false,
      "isFsfLibre": true
    },

It seems like the names aren't the same (unlike many of the GPL cases):

"GNU Free Documentation License v1.2" != "GNU Free Documentation License v1.2 only"

Even though GFDL-1.2-only should replace GFDL-1.2.

I think there may still be a way to account for these in the generic generation logic yet still.

Specifically: https://github.com/anchore/syft/pull/1263/files#diff-f60222b80650a43e8ac9d70962f7120afe7d507d71ed448f729a318087c78274R34-R67 . These could be covered by "if I am processing a deprecated license X and there is a non-deprecated license X-only, use X-only instead. There are more sub-cases to cover (e.g gfdl-1.2.0 needs to map to GFDL-1.2-only, but doesn't match the pattern exactly).

I think your hard-coded cases for BSD make sense as is https://github.com/anchore/syft/pull/1263/files#diff-f60222b80650a43e8ac9d70962f7120afe7d507d71ed448f729a318087c78274R69-R75 .

I'm not certain I follow the bzip changes: https://github.com/anchore/syft/pull/1263/files#diff-f60222b80650a43e8ac9d70962f7120afe7d507d71ed448f729a318087c78274R77-R79 . What motivates these?

kzantow pushed a commit that referenced this issue Oct 14, 2022
Repository owner moved this from Parking Lot (Comments or Progress) to Done in OSS Oct 14, 2022
aiwantaozi pushed a commit to aiwantaozi/syft that referenced this issue Oct 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

2 participants