Fail to detect a license

[jackpie1206]

I was testing with deny-licenses option and found that it failed to detect a license from https://www.npmjs.com/package/spook.js. The workflow I added was:

name: Dependency Check

on:
  pull_request:
    types: [opened, synchronize, reopened]
    branches: ['main']

jobs:
  CheckDependency:
    runs-on: ubuntu-latest

    steps:
      - name: 'Checkout'
        uses: actions/checkout@v3

      - name: 'Check dependencies for known security issues'
        uses: actions/dependency-review-action@v2
        with:
          deny-licenses: GPL-1.0, GPL-2.0, GPL-3.0, LGPL-2.0, LGPL-2.1, LGPL-3.0, AGPL-1.0, AGPL-2.0, AGPL-3.0

And my test PR made these changes:
package.json

"spook.js": "0.0.1"

package-lock.json

    "spook.js": {
      "version": "0.0.1",
      "resolved": "https://registry.npmjs.org/spook.js/-/spook.js-0.0.1.tgz",
      "integrity": "sha512-D1/7VxEuQ7xk6z/kAROe4SUbd9CzxY4zOwVGnGHerd/SgLIVU5f4esDzQUsOCeArn933BZfWMKydH7l7dPEp0g=="
    }

However, the action run for the PR didn't fail. Instead, it reported that it couldn't detect a license for spook.js.

  We could not detect a license for the following dependencies:
  
  Python/blu-ring-viewer/package-lock.json » spook.js@0.0.1
  Python/blu-ring-viewer/package.json » spook.js@0.0.1

If I manually grab the file from https://registry.npmjs.org/spook.js/-/spook.js-0.0.1.tgz I can see LICENSE.md in it which is GPL-3.0. I can also use GitHub License API to check its license and it is "gpl-3.0": https://api.github.com/repos/arthurakay/spook.js/license

{
  "name": "LICENSE.md",
  "path": "LICENSE.md",
  "sha": "e72bfddabc15be5718a7cc061ac10e47741d8219",
  "size": 35148,
  "url": "https://api.github.com/repos/arthurakay/spook.js/contents/LICENSE.md?ref=master",
  "html_url": "https://github.com/arthurakay/spook.js/blob/master/LICENSE.md",
  "git_url": "https://api.github.com/repos/arthurakay/spook.js/git/blobs/e72bfddabc15be5718a7cc061ac10e47741d8219",
  "download_url": "https://raw.githubusercontent.com/arthurakay/spook.js/master/LICENSE.md",
  "type": "file",
  "content": "...removed...",
  "encoding": "base64",
  "_links": {
    "self": "https://api.github.com/repos/arthurakay/spook.js/contents/LICENSE.md?ref=master",
    "git": "https://api.github.com/repos/arthurakay/spook.js/git/blobs/e72bfddabc15be5718a7cc061ac10e47741d8219",
    "html": "https://github.com/arthurakay/spook.js/blob/master/LICENSE.md"
  },
  "license": {
    "key": "gpl-3.0",
    "name": "GNU General Public License v3.0",
    "spdx_id": "GPL-3.0",
    "url": "https://api.github.com/licenses/gpl-3.0",
    "node_id": "MDc6TGljZW5zZTk="
  }
}

Did I do something wrong?

[febuiles]

@jackpie1206 Thanks such a complete bug report 🙇.

The API the Action uses to fetch the vulnerability and license info has different data from the GitHub Licenses API that you linked above.

There is a draft PR to use the GitHub License information as a fallback, it's just missing some tests before getting merged! You can see how it fixes the issue you reported in this sample worfklow run: https://github.com/future-funk/turbo-couscous/actions/runs/3233979525/jobs/5296523454.

[jackpie1206]

@febuiles That looks promising! Question, after the PR gets merged, how long does it take for a new minor or patch release (I assume it won't be a major release)? Thanks.

[febuiles]

@jackpie1206 for these bug fixes we cut new releases instantly.

Help with the PR is always welcome if you are familiar or want to learn TypeScript/GitHub Actions!

[cnagadya]

@jackpie1206 this should be resolved in the v2.5.0 release

[jackpie1206]

@febuiles @cnagadya Thanks for fixing this. Question, will the major version tag "v2" also get updated to point to v2.5.0 (or later)?

[febuiles]

@jackpie1206 thanks a ton for the callout, it's been updated already!