Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BUG: declared license only missing for some versions of a package #1177

Open
elrayle opened this issue Aug 15, 2024 · 0 comments
Open

BUG: declared license only missing for some versions of a package #1177

elrayle opened this issue Aug 15, 2024 · 0 comments

Comments

@elrayle
Copy link
Collaborator

elrayle commented Aug 15, 2024

Description

For some packages, many of the versions will have a license declared, but other versions of the package do not.

Expected

The summary definition for go/golang/github.com%2fsap/jenkins-library/v1.231.0 should have a declared license Apache-2.0.

Actual

The summary definition for go/golang/github.com%2fsap/jenkins-library/v1.231.0 does not have a declared license.

Observations

For the specific example provided:

  • Many of the versions do have the license declared as Apache-2.0. (e.g. go/golang/github.com%2fsap/jenkins-library/v1.230.0)
  • More than one version does not have a declared license.
  • It does not appear to be related to a license change.

Potential Approach

Information needed:

  • identify which packages have licenses for some versions, but not others
  • determine how many coordinates are impacted
  • determine if the license is declared in the tool output

May be able to use DB queries for the first two, but it will be slow. Can spot check the production blog container to determine if the license is present in tool results.

Actual approach needs to take scale of the problem into account.

  • if the license is in tool results, force a re-generation of the definition for each coordinate
  • if the license is not in the tool results, force a re-harvest of the coordinates

May be able to piggy back on the data factory being built to identify coordinates where a production-definition blob exists, but the database entry is completely missing.

Other approaches should be considered.

Related Work

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant