Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No license detected in a docker scans of docker://redis:buster #478

Closed
pombredanne opened this issue Jul 28, 2022 · 3 comments
Closed

No license detected in a docker scans of docker://redis:buster #478

pombredanne opened this issue Jul 28, 2022 · 3 comments
Labels
bug Something isn't working high priority
Milestone
v31.0.0

Comments

@pombredanne
Copy link
Member

I created a project and scanned docker://redis:buster with a docker pipeline.
No license was detected at all using the tip of the main branch
@pombredanne pombredanne added the bug Something isn't working label Jul 28, 2022
@pombredanne pombredanne added this to the v32.0.0 milestone Jul 28, 2022
@pombredanne pombredanne modified the milestones: v32.0.0, v31.0.0 Jul 28, 2022
@tdruez
Copy link
Member

tdruez commented Jul 29, 2022

Let's take a data example of an installed_packages in https://github.com/nexB/scancode.io/blob/main/scanpipe/pipes/docker.py#L182

{'api_data_url': None,
 'bug_tracking_url': None,
 'code_view_url': None,
 'copyright': None,
 'declared_license': None,
 'source_packages': ['pkg:deb/zlib'],
 'subpath': None,
 'type': 'deb',
 'vcs_url': None,
 'version': '1:1.2.11.dfsg-1'
 'description': 'compression library - runtime\n'
                ' zlib is a library implementing the deflate compression '
                'method found\n'
                ' in gzip and PKZIP.  This package includes the shared '
                'library.',
 'homepage_url': 'http://zlib.net/',
 'keywords': ['libs'],
 'license_expression': None,
 'name': 'zlib1g',
 'namespace': None,
 'notice_text': None,
 'package_uid': 'pkg:deb/zlib1g@1:1.2.11.dfsg-1?architecture=amd64&uuid=fec22812-0d35-49e2-a0d9-7c9d381138a2',
 'primary_language': None,
 'purl': 'pkg:deb/zlib1g@1:1.2.11.dfsg-1?architecture=amd64',
 'qualifiers': {'architecture': 'amd64'},
 'resources': [{'for_packages': ['pkg:deb/zlib1g@1:1.2.11.dfsg-1?architecture=amd64&uuid=fec22812-0d35-49e2-a0d9-7c9d381138a2',
                                 'pkg:deb/zlib1g@1:1.2.11.dfsg-1?architecture=amd64&uuid=fec22812-0d35-49e2-a0d9-7c9d381138a2'],
                'package_data': [{'api_data_url': None,
                                  'bug_tracking_url': None,
                                  'code_view_url': None,
                                  'copyright': '1995-2013 Jean-loup Gailly and '
                                               'Mark Adler\n'
                                               '1998 by Andreas R. Kleinert\n'
                                               '1998-2010 Gilles Vollant\n'
                                               '2007-2008 Even Rouault\n'
                                               '2009-2010 Mathias Svensson\n'
                                               '2000-2017 Mark Brown',
                                  'datasource_id': 'debian_copyright_in_package',
                                  'declared_license': ['Zlib',
                                                       'Zlib',
                                                       'Zlib',
                                                       'Zlib',
                                                       'Zlib'],
                                  'dependencies': [],
                                  'description': None,
                                  'download_url': None,
                                  'extra_data': {},
                                  'file_references': [],
                                  'homepage_url': None,
                                  'keywords': [],
                                  'license_expression': 'zlib AND zlib AND '
                                                        'zlib AND zlib',
                                  'md5': None,
                                  'name': 'zlib1g',
                                  'namespace': None,
                                  'notice_text': None,
                                  'parties': [],
                                  'primary_language': None,
                                  'purl': 'pkg:deb/zlib1g',
                                  'qualifiers': {},
                                  'release_date': None,
                                  'repository_download_url': None,
                                  'repository_homepage_url': None,
                                  'sha1': None,
                                  'sha256': None,
                                  'sha512': None,
                                  'size': None,
                                  'source_packages': [],
                                  'subpath': None,
                                  'type': 'deb',
                                  'vcs_url': None,
                                  'version': None}],
                'path': '476baebdfbf7a68c50e979971fcd47d799d1b194bcf1f03c1c979e9262bcd364/usr/share/doc/zlib1g/copyright',
                'scan_errors': [],
                'type': 'file'},
 }

  1. copyright, declared_license, and license_expression are empty at the package level so during package creation in https://github.com/nexB/scancode.io/blob/main/scanpipe/pipes/docker.py#L186 nothing is set for those fields.

  2. The resources.package_data contains scan values but those are never used in the current code, as the package is not created from those, and the codebase resource is never updated with those neither when assigned to the package instance https://github.com/nexB/scancode.io/blob/main/scanpipe/pipes/docker.py#L219

  3. For some reason entries are duplicated in for_packages.

@pombredanne
Copy link
Member Author

pombredanne commented Jul 31, 2022
edited
Loading

Thanks for the inputs
I tracked the issue of 1. to a bug in SCTK... working on a fix!

For 2., resources.package_data are no longer used correctly but the data should still be processed correctly. I will submit a fix

An 3. is another SCTK bug

pombredanne added a commit to nexB/scancode-toolkit that referenced this issue Aug 1, 2022
@pombredanne
Correctly compute_normalized_license for alpine
86a71a5 
* The license of Alpine installed system packages was not detected
  correctly. It now uses the Alpine specific procedure.

Reference: nexB/scancode.io#478
Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>
pombredanne added a commit to nexB/scancode-toolkit that referenced this issue Aug 1, 2022
@pombredanne
Correctly compute_normalized_license for debian
d1c9379 
* The license of Debian installed system packages was not detected
  correctly. In particular merging copyright detection details with
  other metadata was not working

Reference: nexB/scancode.io#478
Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>
@pombredanne
Copy link
Member Author

See nexB/scancode-toolkit#3036 for the fixes on the SCTK side

pombredanne added a commit that referenced this issue Aug 1, 2022
@pombredanne
Add tests for system package licenses #478
58fa264 
Validate that things run OK and license are detected with a minimal
apine and debian docker image.

Also adapt existing tests to new results.

Bump SCTK to latest version.

Reference: #478
Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>
pombredanne added a commit that referenced this issue Aug 2, 2022
@pombredanne
Add tests for system package licenses #478
95658ef 
* Validate that things run OK and license are detected with a minimal
  alpine and debian docker image.

* Also adapt existing tests to new results.

* Bump SCTK to latest version 31

Reference: #478
Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>
pombredanne added a commit that referenced this issue Aug 2, 2022
@pombredanne
Update tests from latest SCTK #478
c43f5db 
Some of these changes may not be entirely correct and will need further
review

Reference: #478
Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>
@pombredanne pombredanne mentioned this issue Aug 2, 2022
Merged
pombredanne added a commit that referenced this issue Aug 3, 2022
@pombredanne
Sort expected test results #478
52c9bcc 
This minimizes changes in diffs

Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>
tdruez pushed a commit that referenced this issue Aug 3, 2022
@pombredanne
Reported detected license in system packages #478 (#483)
3d28bf5 
* Add tests for system package licenses #478

* Validate that things run OK and license are detected with a minimal
  alpine and debian docker image.

* Also adapt existing tests to new results.

* Bump SCTK to latest version 31

Reference: #478
Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

* Sort expected test results #478

This minimizes changes in diffs

Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

* Bump ScanCode toolkit to 31.0.0rc5

* also adjust tests accordingly

Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>
@tdruez tdruez closed this as completed Aug 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working high priority
Projects
None yet
Milestone
v31.0.0
Development

No branches or pull requests
2 participants
@tdruez @pombredanne