ORT: Review unapproved/unknown licenses #2774

ikolomi · 2024-11-28T10:54:46Z

Description

The current ORT validation runs produce unknown/unapproved licenses, for example, this run:
https://github.com/valkey-io/valkey-glide/actions/runs/12060233555/job/33630281736

produced the following list:

Package_name: Crate::option-ext:0.2.0, Language: Python, License: MPL-2.0
Package_name: Crate::ring:0.17.8, Language: Python, License: NOASSERTION
Package_name: Crate::unicode-ident:1.0.14, Language: Python, License: (Apache-2.0 OR MIT) AND Unicode-3.0
Package_name: PyPI::pathspec:0.12.1, Language: Python, License: MPL-2.0
Package_name: PyPI::pathspec:0.12.1, Language: Python, License: MPL-2.0
Package_name: PyPI::pytest-metadata:3.1.1, Language: Python, License: MPL-2.0
Package_name: PyPI::pytest-metadata:3.1.1, Language: Python, License: MPL-2.0
Package_name: Crate::option-ext:0.2.0, Language: Node, License: MPL-2.0
Package_name: Crate::ring:0.17.8, Language: Node, License: NOASSERTION
Package_name: Crate::unicode-ident:1.0.14, Language: Node, License: (Apache-2.0 OR MIT) AND Unicode-3.0
Package_name: NPM::pause-stream:0.0.11, Language: Node, License: Apache-2.0 AND MIT
Package_name: Crate::option-ext:0.2.0, Language: Java, License: MPL-2.0
Package_name: Crate::ring:0.17.8, Language: Java, License: NOASSERTION
Package_name: Crate::unicode-ident:1.0.14, Language: Java, License: (Apache-2.0 OR MIT) AND Unicode-3.0
Package_name: Maven:org.json:json:20231013, Language: Java, License: LicenseRef-scancode-public-domain-disclaimer
Package_name: Maven:org.json:json:20231013, Language: Java, License: LicenseRef-scancode-public-domain-disclaimer
Package_name: Crate::option-ext:0.2.0, Language: Rust, License: MPL-2.0
Package_name: Crate::ring:0.17.8, Language: Rust, License: NOASSERTION
Package_name: Crate::unicode-ident:1.0.14, Language: Rust, License: (Apache-2.0 OR MIT) AND Unicode-3.0

This breaks AWS AppSec requirements, we have to deal with it by either extended the set of approved licenses or removing the packages

Checklist

Task item 1
Task item 2
Task item 3

Additional Notes

No response

The text was updated successfully, but these errors were encountered:

BoazBD · 2024-12-30T17:37:19Z

Most of the work is completed in #2890.
The remaining tasks depend on Viral (Senior Open Source Engineer) to approve or reject some of the packages we are using.

As a result, the estimated completion time is between 1 to 5 days, depending on his response.

BoazBD · 2025-01-07T17:00:27Z

Unapproved/unknown licenses list is now empty.

ikolomi added the Tech debt label Nov 28, 2024

ikolomi added this to Valkey-GLIDE - internal Nov 28, 2024

ikolomi added the dependency Dependency management label Nov 28, 2024

ikolomi moved this to Backlog in Valkey-GLIDE - internal Nov 28, 2024

asafpamzn assigned BoazBD Dec 4, 2024

BoazBD mentioned this issue Dec 31, 2024

Update ORT to skip approved packages or those under testing #2890

Merged

6 tasks

asafpamzn added this to the 1.4 milestone Jan 7, 2025

BoazBD mentioned this issue Jan 7, 2025

Update ORT approved list #2922

Merged

6 tasks

BoazBD closed this as completed Jan 7, 2025

github-project-automation bot moved this from Backlog to Done in Valkey-GLIDE - internal Jan 7, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ORT: Review unapproved/unknown licenses #2774

ORT: Review unapproved/unknown licenses #2774

ikolomi commented Nov 28, 2024

BoazBD commented Dec 30, 2024

BoazBD commented Jan 7, 2025

ORT: Review unapproved/unknown licenses #2774

ORT: Review unapproved/unknown licenses #2774

Comments

ikolomi commented Nov 28, 2024

Description

Checklist

Additional Notes

BoazBD commented Dec 30, 2024

BoazBD commented Jan 7, 2025