Skip to content

Policy Violation Audit flagging components with valid licenses #6471

Description

@verigit-hub

Current Behavior

Hey,

We have a policy set to find components without a valid license:

Image

However, license expressions using the WITH keyword such as
"GPL-3.0-only WITH GCC-exception-3.1" continue to get picked up by this filter and reported

Image

Other license expressions using AND or OR do not suffer from this behaviour.

Happy to provide more info.

Thanks

Steps to Reproduce

  1. Create a policy with one condition: "License - is - unresolved"
  2. Add a SBOM with a component that has the license expression: "GPL-3.0-only WITH GCC-exception-3.1"
  3. Verify in the component that the expression is valid (green checkmark)
  4. Check the Policy Violation Audit and notice that the component gets picked up as having no license:
Image

Expected Behavior

Dependency-Track recognizes the license expression using WITH statements as valid licenses.

Dependency-Track Version

4.x

Browser

Mozilla Firefox

Checklist

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions