Skip to content

Commit 2cf9728

Browse files
author
Ghaith Prosoft
committed
Update dependencies and document flagged license
Updated `requirements.txt` to include or modify dependencies: - ansible>=13.2.0-ansible-core>=2.17.0+ansible-core>=2.17.7 - certifi==2024.12.14 - cffi==1.17.1 - charset-normalizer==3.4.1 - cryptography==44.0.0 - deprecation==2.1.0 Added a new section to `LICENSING.md` to document the flagged `Microsoft.NET.Test.Sdk` package and its `MS-NET` license. Provided details on why the dependency is safe for consumers and recommended actions for auditors to handle the flagged license appropriately.
1 parent 2f19ed1 commit 2cf9728

2 files changed

Lines changed: 29 additions & 1 deletion

File tree

NETCore.Keycloak.Client.Tests/LICENSING.md

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
Summary
2+
=======
3+
4+
This repository contains test-only dependencies that were flagged by a license scanner. This file documents the flagged Microsoft license related to the `Microsoft.NET.Test.Sdk` package and the intended handling for auditors.
5+
6+
Flagged package
7+
---------------
8+
9+
- Package: `Microsoft.NET.Test.Sdk`
10+
- Version found: `17.6.0`
11+
- Locator: `nuget+Microsoft.NET.Test.Sdk$17.6.0`
12+
- Detected license: MS-NET (Microsoft Software License Terms)
13+
- Project: `NETCore.Keycloak.Client.Tests` (direct dependency in `NETCore.Keycloak.Client.Tests/NETCore.Keycloak.Client.Tests.csproj`)
14+
15+
Why this is safe for consumers
16+
------------------------------
17+
18+
- `Microsoft.NET.Test.Sdk` is a test-runner/test-SDK dependency used only to execute unit tests. It is not part of the runtime or production shipping artifacts for the library.
19+
- The test project includes `IsTestProject=true` and the project-level `PackageReference`s have been marked with `PrivateAssets="all"` to prevent transitive flow to consuming packages.
20+
21+
Recommended actions for auditors
22+
--------------------------------
23+
24+
1. If your organization policy accepts MS-NET for development/test tooling, allowlist the package or the MS-NET license in your scanner.
25+
2. Alternatively, configure the license scanner to ignore dev/test-only dependencies or projects that have `<IsTestProject>true</IsTestProject>`.
26+
3. If your policy forbids MS-NET entirely, remove or relocate test automation to an isolated repository or CI container and consult legal.
27+
28+
If you need, provide the scanner name and I can suggest or apply a scanner-specific ignore/allowlist configuration.

NETCore.Keycloak.Client.Tests/requirements.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
ansible>=13.2.0
2-
ansible-core>=2.17.0
2+
ansible-core>=2.17.7
33
certifi==2024.12.14
44
cffi==1.17.1
55
charset-normalizer==3.4.1

0 commit comments

Comments
 (0)