Missing 'review_changed_license` property on a changed dependency
andreas-hakansson-ingka opened this issue · comments
We are running Licenced 3.3.1 (but we've tried with 3.4.2 as well) in a Go project and one of our transient dependencies were updated and requires a re-review. However ,when we check in the cached record there is no review_changed_license
property that we can remove as mentioned in the documentation
We have committed our license cache to sources control and run with the following .licensed.yml
file
sources:
go: true
allowed:
- apache-2.0
- bsd-2-clause
- bsd-3-clause
- cc0-1.0
- isc
- mit
- unlicensed
reviewed:
go:
- github.com/jmespath/go-jmespath
- github.com/klauspost/compress/**/*
- github.com/google/**/*
- golang.org/x/**/*
- google.golang.org/**/*
It is the github.com/klauspost/compress/
(transient) dependency that is causing us issues at the moment. If we rebuild the cache (without rebuilding it says it's too old and needs to be rebuilt, i.e we get cached dependency record out of date
for several records) and run a status check then it says
Errors:
* [REDACTED]/klauspost/compress
filename: /[REDACTED]/.licenses/go/github.com/klauspost/compress.dep.yml, version: v1.14.1, license: other, allowed: false
- license needs review: other
The dependency updated from v1.13.6
to v1.14.1
.
I can see that it did change the cached record because I can commit a new copy of it to version control after rebuilding the cache. If I look at the cached record it contains this (I removed the actual license text to keep it short)
---
name: github.com/klauspost/compress
version: v1.14.1
type: go
summary:
homepage: https://pkg.go.dev/github.com/klauspost/compress
license: other
licenses:
- sources: LICENSE
text: |
- sources: README.md
text: This code is licensed under the same conditions as the original Go code. See
LICENSE file.
notices: []
As you can see there's no review_changed_license
property in there so, to be honest, we're not even sure how Licensed knows it needs to be reviewed again if we run licensed status
more than once?
We are getting the same error on multiple machines
@andreas-hakansson-ingka sorry for the confusion and thanks for the report. TL;DR - the reviewed
glob path you called out won't match that dependency. To fix the error you should add github.com/klauspost/compress
as a reviewed
pattern in addition to the glob you currently have.
The glob pattern you've set up in the reviewed
list (github.com/klauspost/compress/**/*
) won't match the dependency github.com/klauspost/compress
because the **/*
ending requires that there is at least one path part after compress
. If a dependency isn't seen as being reviewed, it won't be marked as needing re-review. Some examples of different glob patterns and paths they match (or don't) with File.fnmatch? and the options used by licensed in this case 👇
irb(main):001:0> File.fnmatch?("github.com/klauspost/compress/**/*", "github.com/klauspost/compress", File::FNM_PATHNAME | File::FNM_CASEFOLD)
=> false
irb(main):002:0> File.fnmatch?("github.com/klauspost/compress", "github.com/klauspost/compress", File::FNM_PATHNAME | File::FNM_CASEFOLD)
=> true
irb(main):003:0> File.fnmatch?("github.com/klauspost/compress/**/*", "github.com/klauspost/compress/zlib", File::FNM_PATHNAME | File::FNM_CASEFOLD)
=> true
irb(main):004:0> File.fnmatch?("github.com/klauspost/compress/**/*", "github.com/klauspost/compress/gzhttp/writer/gzkp", File::FNM_PATHNAME | File::FNM_CASEFOLD)
=> true
With the additional reviewed
path, future changes to the dependency license should trigger the review_changed_license
property. Note that the property is only added when any license text values change, an update to the version with no significant changes to the license text will not trigger this scenario.
I'm going to close the issue as I don't believe there's anything to be fixed here, but please feel free to reopen and/or continue the conversation if you disagree 🙇
@andreas-hakansson-ingka 👋 following up, did ☝️ solve your issue?