fix(sbom): fix false positives in monthly license audit#26954
Merged
Conversation
Three issues caused the monthly audit to report already-resolved submodules: 1. The audit workflow grepped for "NOASSERTION" anywhere in the output, matching the Detected column even when the Final column had a valid override (e.g. libtomcrypt detected as NOASSERTION but overridden to Unlicense). Changed to grep for "<-- UNRESOLVED" marker instead. 2. Submodules with an explicit NOASSERTION override in license-overrides.yaml (like libfc-sensor-api, which is proprietary) were still counted as failures. Now treated as "acknowledged" since someone intentionally added the override entry. 3. Added missing BSD-3-Clause override for sitl_gazebo-classic (PX4 org project with no LICENSE file in repo). Fixes #26932 Signed-off-by: Ramon Roche <mrpollo@gmail.com>
mrpollo
force-pushed
the
claude/fix-license-audit-checks-HasEI
branch
from
836fbde to
42b9fba
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The monthly SBOM audit was creating issues for submodules that already had valid overrides in license-overrides.yaml. This happened because the workflow grepped for bare "NOASSERTION" anywhere in the verify output, which matched the Detected column even when the Final column was correctly resolved via override (e.g. libtomcrypt detected as NOASSERTION but overridden to Unlicense). Additionally, submodules with an intentional NOASSERTION override like libfc-sensor-api (proprietary, no LICENSE file) were still counted as failures despite being explicitly acknowledged.
This fixes three things: the workflow now greps for the specific "<-- UNRESOLVED" marker instead of bare "NOASSERTION", the verify logic treats explicit NOASSERTION overrides as acknowledged rather than failures, and adds the missing BSD-3-Clause override for sitl_gazebo-classic which has no LICENSE file in its repo.
Fixes #26932