Skip to content

fix: filter FOSSA false positive for pinned k8s.io/client-go#334

Merged
SebTardif merged 1 commit into
mainfrom
fix/fossa-false-positive-filter
Jun 20, 2026
Merged

fix: filter FOSSA false positive for pinned k8s.io/client-go#334
SebTardif merged 1 commit into
mainfrom
fix/fossa-false-positive-filter

Conversation

@SebTardif

@SebTardif SebTardif commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Problem

The FOSSA License Check on PR #315 (release v0.1.16) fails with:

Outdated dependency detected in k8s.io/client-go@v0.36.2

This is a false positive: k8s.io/client-go@v0.36.2 is the latest stable version, pinned to match the K8s v0.36.x API version that Attune targets.

Solution

  • Add scripts/fossa-filter.py to strip known false positives from fossa test output while preserving genuine issue detection
  • Update .github/workflows/fossa.yaml to run fossa test --format json through the filter script
  • The filter supports both JSON-based and text-based (fallback) filtering, since FOSSA quality issues sometimes produce empty JSON output

False positive patterns handled

Package prefix Issue type Reason
k8s.io/ outdated Pinned to match target K8s API version
golang.org/x/text CC-BY-SA Unicode CLDR data files; module is BSD-3-Clause
golang.org/x/crypto openssl-ssleay Test fixture files; module is BSD-3-Clause

Testing

Verified locally with simulated FOSSA output:

  • Known false positives are filtered (exit 0)
  • Genuine issues are preserved (exit 1)
  • Empty JSON falls back to text-based filtering
  • Mixed results correctly separate false positives from genuine issues

@SebTardif
fix: filter FOSSA false positive for pinned k8s.io/client-go
e15f56c 
FOSSA flags k8s.io/client-go@v0.36.2 as outdated, but this is the
latest stable version pinned to match the target K8s API version.

Add scripts/fossa-filter.py to strip known false positives from
fossa test output while preserving genuine issue detection. The
filter supports both JSON and text-based fallback (quality issues
sometimes produce empty JSON output).

Update fossa.yaml to use the filter script instead of bare fossa test.

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
@github-actions github-actions Bot added area/ci CI/CD workflows size/m 50-249 lines changed labels Jun 20, 2026
@SebTardif SebTardif merged commit 11ae86b into main Jun 20, 2026
33 checks passed
@SebTardif SebTardif deleted the fix/fossa-false-positive-filter branch June 20, 2026 21:17
@attune-release-bot attune-release-bot Bot mentioned this pull request Jun 15, 2026
Merged
@SebTardif SebTardif mentioned this pull request Jun 20, 2026
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

area/ci CI/CD workflows size/m 50-249 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SebTardif