From 89f2b5ba48ebab381388a6b138fb273231d735e9 Mon Sep 17 00:00:00 2001 From: Shahar Harari Date: Wed, 11 Dec 2024 22:46:35 +0200 Subject: [PATCH 1/3] ci: ignore vulnerabilities on license scan Signed-off-by: Shahar Harari --- .github/workflows/license-scan.yml | 1 + osv-scanner.toml | 84 +-------------------- tools/osv-scanner/license-scan-config.toml | 87 ++++++++++++++++++++++ 3 files changed, 90 insertions(+), 82 deletions(-) create mode 100644 tools/osv-scanner/license-scan-config.toml diff --git a/.github/workflows/license-scan.yml b/.github/workflows/license-scan.yml index 649f27fe979..0634aec0d08 100644 --- a/.github/workflows/license-scan.yml +++ b/.github/workflows/license-scan.yml @@ -23,4 +23,5 @@ jobs: scan-args: |- --skip-git --experimental-licenses=Apache-2.0,BSD-2-Clause,BSD-2-Clause-FreeBSD,BSD-3-Clause,MIT,ISC,Python-2.0,PostgreSQL,X11,Zlib + -- config tools/osv-scanner/license-scan-config.yaml ./ diff --git a/osv-scanner.toml b/osv-scanner.toml index 9d5626b71ec..e20a22bca94 100644 --- a/osv-scanner.toml +++ b/osv-scanner.toml @@ -1,82 +1,2 @@ -[[PackageOverrides]] -name = "github.com/AdaLogics/go-fuzz-headers" -version = "0.0.0-20230811130428-ced1acdcaa24" -ecosystem = "Go" -license.override = ["Apache-2.0"] -reason = "Unidentified license since package version is missing in pkg.go.dev" - -[[PackageOverrides]] -name = "github.com/asaskevich/govalidator" -version = "0.0.0-20230301143203-a9d515a09cc2" -ecosystem = "Go" -license.override = ["MIT"] -reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/87 is resolved" - -[[PackageOverrides]] -name = "github.com/distribution/distribution/v3" -version = "3.0.0-beta.1" -ecosystem = "Go" -license.override = ["Apache-2.0"] -reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/105 is resolved" - -[[PackageOverrides]] -name = "github.com/docker/go-metrics" -version = "0.0.1" -ecosystem = "Go" -license.override = ["Apache-2.0"] -reason = "This package has dual license - the code is licensed under the Apache 2.0 license and the docs under CC-BY-SA-4.0 license" - -[[PackageOverrides]] -name = "github.com/go-sql-driver/mysql" -version = "1.8.1" -ecosystem = "Go" -license.ignore = true -reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" - -[[PackageOverrides]] -name = "github.com/hashicorp/errwrap" -version = "1.1.0" -ecosystem = "Go" -license.ignore = true -reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" - -[[PackageOverrides]] -name = "github.com/hashicorp/go-multierror" -version = "1.1.1" -ecosystem = "Go" -license.ignore = true -reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" - -[[PackageOverrides]] -name = "github.com/hashicorp/hcl" -version = "1.0.0" -ecosystem = "Go" -license.ignore = true -reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" - -[[PackageOverrides]] -name = "github.com/opencontainers/go-digest" -version = "1.0.0" -ecosystem = "Go" -license.override = ["Apache-2.0"] -reason = "This package has dual license - the code is licensed under the Apache 2.0 license and the docs under CC-BY-SA-4.0 license" - -[[PackageOverrides]] -name = "github.com/shoenig/go-m1cpu" -version = "0.1.6" -ecosystem = "Go" -license.ignore = true -reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/cncf-exceptions-2023-08-31.spdx" - -[[PackageOverrides]] -name = "github.com/golang/groupcache" -version = "0.0.0-20241129210726-2c02b8208cf8" -ecosystem = "Go" -license.override = ["Apache-2.0"] -reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/119 is resolved" - -[[PackageOverrides]] -name = "stdlib" -ecosystem = "Go" -license.override = ["BSD-3-Clause"] -reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/86 is resolved" +# Add ignored vulnerabilities here when needed +# See https://google.github.io/osv-scanner/configuration/ \ No newline at end of file diff --git a/tools/osv-scanner/license-scan-config.toml b/tools/osv-scanner/license-scan-config.toml new file mode 100644 index 00000000000..79a579ff7f8 --- /dev/null +++ b/tools/osv-scanner/license-scan-config.toml @@ -0,0 +1,87 @@ +# Ignore vulnerabilities on license scan +[[PackageOverrides]] +ecosystem = "Go" +vulnerability.ignore = true + +[[PackageOverrides]] +name = "github.com/AdaLogics/go-fuzz-headers" +version = "0.0.0-20230811130428-ced1acdcaa24" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "Unidentified license since package version is missing in pkg.go.dev" + +[[PackageOverrides]] +name = "github.com/asaskevich/govalidator" +version = "0.0.0-20230301143203-a9d515a09cc2" +ecosystem = "Go" +license.override = ["MIT"] +reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/87 is resolved" + +[[PackageOverrides]] +name = "github.com/distribution/distribution/v3" +version = "3.0.0-beta.1" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/105 is resolved" + +[[PackageOverrides]] +name = "github.com/docker/go-metrics" +version = "0.0.1" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "This package has dual license - the code is licensed under the Apache 2.0 license and the docs under CC-BY-SA-4.0 license" + +[[PackageOverrides]] +name = "github.com/go-sql-driver/mysql" +version = "1.8.1" +ecosystem = "Go" +license.ignore = true +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" + +[[PackageOverrides]] +name = "github.com/hashicorp/errwrap" +version = "1.1.0" +ecosystem = "Go" +license.ignore = true +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" + +[[PackageOverrides]] +name = "github.com/hashicorp/go-multierror" +version = "1.1.1" +ecosystem = "Go" +license.ignore = true +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" + +[[PackageOverrides]] +name = "github.com/hashicorp/hcl" +version = "1.0.0" +ecosystem = "Go" +license.ignore = true +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/CNCF-licensing-exceptions.csv" + +[[PackageOverrides]] +name = "github.com/opencontainers/go-digest" +version = "1.0.0" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "This package has dual license - the code is licensed under the Apache 2.0 license and the docs under CC-BY-SA-4.0 license" + +[[PackageOverrides]] +name = "github.com/shoenig/go-m1cpu" +version = "0.1.6" +ecosystem = "Go" +license.ignore = true +reason = "This package has MPL-2.0 which is not approved in CNCF Allowlist, but it has an exception. See https://github.com/cncf/foundation/blob/main/license-exceptions/cncf-exceptions-2023-08-31.spdx" + +[[PackageOverrides]] +name = "github.com/golang/groupcache" +version = "0.0.0-20241129210726-2c02b8208cf8" +ecosystem = "Go" +license.override = ["Apache-2.0"] +reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/119 is resolved" + +[[PackageOverrides]] +name = "stdlib" +ecosystem = "Go" +license.override = ["BSD-3-Clause"] +reason = "Unidentified license, remove once https://github.com/google/deps.dev/issues/86 is resolved" From 9b84e4335a3675a263030a6ae66d78c5669ece0a Mon Sep 17 00:00:00 2001 From: Shahar Harari Date: Wed, 11 Dec 2024 22:53:52 +0200 Subject: [PATCH 2/3] remove space Signed-off-by: Shahar Harari --- .github/workflows/license-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/license-scan.yml b/.github/workflows/license-scan.yml index 0634aec0d08..834515bbeb0 100644 --- a/.github/workflows/license-scan.yml +++ b/.github/workflows/license-scan.yml @@ -23,5 +23,5 @@ jobs: scan-args: |- --skip-git --experimental-licenses=Apache-2.0,BSD-2-Clause,BSD-2-Clause-FreeBSD,BSD-3-Clause,MIT,ISC,Python-2.0,PostgreSQL,X11,Zlib - -- config tools/osv-scanner/license-scan-config.yaml + --config tools/osv-scanner/license-scan-config.yaml ./ From c588ea4ab1ab73864cfc1bc69eb952f37be7fa58 Mon Sep 17 00:00:00 2001 From: Shahar Harari Date: Wed, 11 Dec 2024 22:59:44 +0200 Subject: [PATCH 3/3] remove osv-scanner.toml Signed-off-by: Shahar Harari --- osv-scanner.toml | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 osv-scanner.toml diff --git a/osv-scanner.toml b/osv-scanner.toml deleted file mode 100644 index e20a22bca94..00000000000 --- a/osv-scanner.toml +++ /dev/null @@ -1,2 +0,0 @@ -# Add ignored vulnerabilities here when needed -# See https://google.github.io/osv-scanner/configuration/ \ No newline at end of file