allow list

Question

allow list

Closed this issue 2 years ago · 4 comments

Description

I am trying to define an allow list of licenses but using * under conditions isn't giving the desired result.

Propose Solution

if I do the below the ignores are not actually ignoring anything as I am still

licensing:
  # The four main rules types to do everything you need to do for all things
  #  compliance

  # Warnings will always occur if the rule applies and continues executing to
  #  other rules.
  warnings:
    ids:
      - other
      - na

  # Ignores are run next so if an ignored rule is hit that matches the level,
  #  it will be skipped
  ignores:
    ids:
      - apache license 2.0
      - bsd 3-clause "new" or "revised" license
      - mit license

  # Conditions will only trigger and raise an error when an exact match is hit
  conditions:
    # note using 'names' here instead of `ids` has the same result
    ids:
      - "*"

Answer 1 · 2022-10-26T17:24:57.000Z

@romanoroth, @Padi-owasp and I were trying to do something similar to get an error on all undetected licenses, and then create an allow list manually. This is because we found many libraries that do not write the license in a standard place, and we want to have a manual allow list for checking licenses.

licensing:
  conditions: #to fail
    ids:
      - other
      - na
      - none
  ignores: # what is allowed
    ids:
      - GPL*
      - LGPL*
    names:
      - maven://org.apache.maven.plugins:maven-surefire-plugin*

Answer 2 · 2022-10-27T15:44:23.000Z

@lsmith77 @jmservera Thank you for sharing this with me.

I did create an example of this using a list of allowed dependencies and break on any dependencies outside of the list.

I have not tested this with licensing but it might not be working because the licensing policy engine is a little different to the others. I will write up some test cases next week and see if we can do this for licensing.

Answer 3 · 2022-10-27T16:26:04.000Z

awesome. and yes that policy inspired my attempt for licensing. in general for licensing an allow list makes the most sense imho.

but FYI you might find this finding interesting that relativates a bit the trustworthiness of GitHub licensing data.

Answer 4 · 2022-12-14T14:15:20.000Z

@lsmith77 @jmservera If you have any more issues, please raise them in the new repo https://github.com/advanced-security/policy-as-code/issues