Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(license): add FilePath to results to allow for license path filtering via trivyignore file #6215

Merged
merged 4 commits into from
Mar 4, 2024
Merged

fix(license): add FilePath to results to allow for license path filtering via trivyignore file #6215

merged 4 commits into from
Mar 4, 2024

Conversation

dus7eh
Copy link
Contributor

@dus7eh dus7eh commented Feb 27, 2024
edited
Loading

Description

Refers to discussion #6117 about trivyignore license definition not working properly for python packages

Before state is visible in the referred discussion.
After the change an entry is visible in logs:
DEBUG Ignored {"id": "GPL-2.0", "path": "usr/lib/python3.11/site-packages/scapy-2.5.0.dist-info/METADATA"}
with trivyignore.yaml defined as:

licenses:
  - id: "GPL-2.0"
    paths:
     - "usr/lib/python3.11/site-packages/scapy-2.5.0.dist-info/METADATA"

Related issues

Related PRs

Remove this section if you don't have related PRs.

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@dus7eh dus7eh changed the title fix(license): add FilePath to results to allow for path filtering via trivyignore file fix(license): add FilePath to results to allow for license path filtering via trivyignore file Feb 27, 2024
DmitriyLewen
DmitriyLewen reviewed Feb 28, 2024
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @dus7eh
Thanks for your work!
I left comments. Take a look,

After your PR i thought about this case again.
I see 2 moments related to packages without locense info (case when we use another file to find license)

  1. It would be correctly to use path to license file instead of lock file. But in this case user may get confused. Because user is scanning the lock file and may not have the information that we are scanning another file to detect license.
  2. But if we use path to lock file as license filepath - there may be case where user wants to find this license -> user opens lockfile -> but lockfile doesn't contain license.
    But in this case, the user can check the documentation and read how we define licenses for his package/language.

So i think that we can start from this solution.

docs/docs/configuration/filtering.md Show resolved Hide resolved
pkg/scanner/local/scan.go Outdated Show resolved Hide resolved
@dus7eh dus7eh force-pushed the fix/missing-license-report-filepath branch from dc07806 to c2e35c2 Compare February 28, 2024 13:19
@dus7eh dus7eh force-pushed the fix/missing-license-report-filepath branch from c2e35c2 to 88a6154 Compare February 28, 2024 13:21
DmitriyLewen
DmitriyLewen reviewed Feb 29, 2024
View reviewed changes
pkg/scanner/local/scan.go Outdated Show resolved Hide resolved
docs/docs/configuration/filtering.md Outdated Show resolved Hide resolved
@dus7eh dus7eh force-pushed the fix/missing-license-report-filepath branch from dc07329 to 61dcb50 Compare March 1, 2024 23:04
DmitriyLewen
DmitriyLewen approved these changes Mar 4, 2024
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your work and
LGTM!

@knqyf263 take a look, when you have time, please.

@knqyf263 knqyf263 added this pull request to the merge queue Mar 4, 2024
Merged via the queue into aquasecurity:main with commit 04535b5 Mar 4, 2024
17 checks passed
@aqua-bot aqua-bot mentioned this pull request May 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dus7eh @DmitriyLewen @knqyf263