From bb0a8ff3e180aba238caa10ccc9c55c47b7de608 Mon Sep 17 00:00:00 2001
From: Olivier Leduc <leduc.o@gmail.com>
Date: Mon, 17 Jun 2024 09:47:58 -0400
Subject: [PATCH 1/5] BST-11165: add license type & rule to boost-sca

This scanner can emit license finding. As such, it should be marked as a
license scanner and have the rule for forbidden license usage.
---
 .../boostsecurityio/sbom-sca/module.yaml               |  1 +
 .../boostsecurityio/sbom-sca/rules.yaml                | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/server-side-scanners/boostsecurityio/sbom-sca/module.yaml b/server-side-scanners/boostsecurityio/sbom-sca/module.yaml
index c9c8c7e2..a32c49ee 100644
--- a/server-side-scanners/boostsecurityio/sbom-sca/module.yaml
+++ b/server-side-scanners/boostsecurityio/sbom-sca/module.yaml
@@ -2,3 +2,4 @@ name: BoostSecurity SBOM SCA
 namespace: boostsecurityio/sbom-sca
 scan_types:
   - sca
+  - license
diff --git a/server-side-scanners/boostsecurityio/sbom-sca/rules.yaml b/server-side-scanners/boostsecurityio/sbom-sca/rules.yaml
index 629f9ed2..41db6cb9 100644
--- a/server-side-scanners/boostsecurityio/sbom-sca/rules.yaml
+++ b/server-side-scanners/boostsecurityio/sbom-sca/rules.yaml
@@ -15,3 +15,13 @@ rules:
     group: top10-vulnerable-components
     pretty_name: Dependency with known malicious behaviour
     ref: https://github.com/ossf/malicious-packages/tree/main/osv/malicious
+  forbidden-license:
+    categories:
+      - ALL
+      - boost-baseline
+      - use-of-forbidden-license
+    description: Package with Unauthorized License
+    name: forbidden-license
+    group: license-violations
+    pretty_name: Package with Unauthorized License
+    ref: https://docs.boostsecurity.io/rules/index.html

From 93541ad71e65ff53bfc8934208cc197ccd7b6745 Mon Sep 17 00:00:00 2001
From: Olivier Leduc <leduc.o@gmail.com>
Date: Mon, 17 Jun 2024 10:54:07 -0400
Subject: [PATCH 2/5] fix: import rule from license scanner

---
 .../boostsecurityio/sbom-sca/rules.yaml               | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/server-side-scanners/boostsecurityio/sbom-sca/rules.yaml b/server-side-scanners/boostsecurityio/sbom-sca/rules.yaml
index 41db6cb9..b933e734 100644
--- a/server-side-scanners/boostsecurityio/sbom-sca/rules.yaml
+++ b/server-side-scanners/boostsecurityio/sbom-sca/rules.yaml
@@ -1,5 +1,6 @@
 import:
   - boostsecurityio/sca-cve
+  - boostsecurityio/oss-license
 
 rules:
   dependency-with-malicious-behaviour:
@@ -15,13 +16,3 @@ rules:
     group: top10-vulnerable-components
     pretty_name: Dependency with known malicious behaviour
     ref: https://github.com/ossf/malicious-packages/tree/main/osv/malicious
-  forbidden-license:
-    categories:
-      - ALL
-      - boost-baseline
-      - use-of-forbidden-license
-    description: Package with Unauthorized License
-    name: forbidden-license
-    group: license-violations
-    pretty_name: Package with Unauthorized License
-    ref: https://docs.boostsecurity.io/rules/index.html

From 61a4bc2a1f2b25a4c31c55f78fa4cca5fa020ca4 Mon Sep 17 00:00:00 2001
From: Olivier Leduc <leduc.o@gmail.com>
Date: Mon, 17 Jun 2024 11:31:58 -0400
Subject: [PATCH 3/5] tmp: try new action version

---
 .github/workflows/registry-scanner.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/registry-scanner.yaml b/.github/workflows/registry-scanner.yaml
index 08e04680..a0ba8194 100644
--- a/.github/workflows/registry-scanner.yaml
+++ b/.github/workflows/registry-scanner.yaml
@@ -14,7 +14,7 @@ on:
 
 permissions:
   contents: read
-  
+
 jobs:
   scan_job:
     name: Scanner Registry Action
@@ -29,7 +29,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
       - name: Scan Registry
-        uses: boostsecurityio/scanner-registry-action@bcec6e2aedd41802de36511587d46e2eb47e8805 # v1.5.3
+        uses: boostsecurityio/scanner-registry-action@419f7dca96ccbf6e0459faf512d15b1e530a0796 # temporary
         with:
           api_endpoint: ${{ vars.BOOST_API_ENDPOINT }}
           api_token: ${{ secrets.BOOST_SYSTEM_API_KEY_REGISTRY }}

From ef5969651fc4f67b49e6d3a2798166cb7d091ec9 Mon Sep 17 00:00:00 2001
From: Olivier Leduc <leduc.o@gmail.com>
Date: Mon, 17 Jun 2024 11:49:57 -0400
Subject: [PATCH 4/5] use action v1.5.4

---
 .github/workflows/registry-scanner.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/registry-scanner.yaml b/.github/workflows/registry-scanner.yaml
index a0ba8194..7ff07b00 100644
--- a/.github/workflows/registry-scanner.yaml
+++ b/.github/workflows/registry-scanner.yaml
@@ -29,7 +29,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
       - name: Scan Registry
-        uses: boostsecurityio/scanner-registry-action@419f7dca96ccbf6e0459faf512d15b1e530a0796 # temporary
+        uses: boostsecurityio/scanner-registry-action@7c3690aed2453f790be130a209d644c41b333fb7 # v1.5.4
         with:
           api_endpoint: ${{ vars.BOOST_API_ENDPOINT }}
           api_token: ${{ secrets.BOOST_SYSTEM_API_KEY_REGISTRY }}

From efbc066cf9198925112535ed2f2258bf7aec3ec3 Mon Sep 17 00:00:00 2001
From: Olivier Leduc <leduc.o@gmail.com>
Date: Mon, 17 Jun 2024 16:34:03 -0400
Subject: [PATCH 5/5] fix: move to boost-sca

---
 scanners/boostsecurityio/boost-sca/module.yaml            | 1 +
 scanners/boostsecurityio/boost-sca/rules.yaml             | 1 +
 server-side-scanners/boostsecurityio/sbom-sca/module.yaml | 1 -
 server-side-scanners/boostsecurityio/sbom-sca/rules.yaml  | 1 -
 4 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/scanners/boostsecurityio/boost-sca/module.yaml b/scanners/boostsecurityio/boost-sca/module.yaml
index 9a59ea00..7ee8f5f1 100644
--- a/scanners/boostsecurityio/boost-sca/module.yaml
+++ b/scanners/boostsecurityio/boost-sca/module.yaml
@@ -5,6 +5,7 @@ name: BoostSecurity SCA
 namespace: boostsecurityio/boost-sca
 scan_types:
   - sca
+  - license
 
 config:
   require_full_repo: true
diff --git a/scanners/boostsecurityio/boost-sca/rules.yaml b/scanners/boostsecurityio/boost-sca/rules.yaml
index 629f9ed2..b933e734 100644
--- a/scanners/boostsecurityio/boost-sca/rules.yaml
+++ b/scanners/boostsecurityio/boost-sca/rules.yaml
@@ -1,5 +1,6 @@
 import:
   - boostsecurityio/sca-cve
+  - boostsecurityio/oss-license
 
 rules:
   dependency-with-malicious-behaviour:
diff --git a/server-side-scanners/boostsecurityio/sbom-sca/module.yaml b/server-side-scanners/boostsecurityio/sbom-sca/module.yaml
index a32c49ee..c9c8c7e2 100644
--- a/server-side-scanners/boostsecurityio/sbom-sca/module.yaml
+++ b/server-side-scanners/boostsecurityio/sbom-sca/module.yaml
@@ -2,4 +2,3 @@ name: BoostSecurity SBOM SCA
 namespace: boostsecurityio/sbom-sca
 scan_types:
   - sca
-  - license
diff --git a/server-side-scanners/boostsecurityio/sbom-sca/rules.yaml b/server-side-scanners/boostsecurityio/sbom-sca/rules.yaml
index b933e734..629f9ed2 100644
--- a/server-side-scanners/boostsecurityio/sbom-sca/rules.yaml
+++ b/server-side-scanners/boostsecurityio/sbom-sca/rules.yaml
@@ -1,6 +1,5 @@
 import:
   - boostsecurityio/sca-cve
-  - boostsecurityio/oss-license
 
 rules:
   dependency-with-malicious-behaviour: