Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Licensed pacakges showing on Unlicensed Local Packages listing
-
In Proget, we have a lot of packages that show up on the 'Unlicensed Local Packages' listing, but when we view most of them, the package states it has a known license. Is there some setting that is making this occur? For example:
Microsoft.Identity.Client 4.66.0
Is a nuget that is MIT licensed as noted on nuget.org. When I view the list of Unlicensed Local Packages, that package also shows up there. Clicking on that package and going to the metadata tab it shows 'SPDX Expression (MIT) Known type (MIT)' for license. We do not understand why this licensed package is showing up on the unlicensed listing. Why is this happening? And is there something we can do to correct it?
ProGet
Version 2024.12 (Build 10)
-
Hi @davidroberts63,
Without looking at the database it's really hard to guess; we'd be happy to investigate your database is you send us a back-up.
But maybe we can figure it out as well.... behind the scenes, there is a table called
PackageLicenses23which associates a specific package version (e.g. Microsoft.Identity.Client 4.66.0) with a specific license Id (MIT). The "Unlicensed Local Packages" page uses that table to find packages (FeedPackageVersions) without an entry.Data is added into the
PAckageLicenses23table whenever a package is analyzed. So I presume that, if you go to the package and Re-analyze it, then the message goes away? This reanalysis should also occur on a nightly basis with the compliance check job.If you poke around in the database, note there are
PackageLicenses23_ExtendedandFeedPackageVersions_Extendedviews won't require you to do a bunch of joins to find.Thanks,
Alana
-
Thank you Alana,
That was very helpful. I appreciate it. I did query that PackageLicense23_Extended view for the 'Microsoft.Identity.Client'. It did show a lot of that package's versions having the MIT license associated with it. However it is in fact missing a record for the 4.66.0 version. Actually it is missing license records for anything after 4.63.0. I did click on 'Reanalyze Package' for the 4.66.0 version, but no change was seen in the UI or the database. I've pasted the results of the reanalysis if it may be of any help.
Package "pkg:nuget/Microsoft.Identity.Client@4.66.0" will analyzed with local data
Package originates from package gallery (https://api.nuget.org/v3/index.json); remote metadata will be used to determine latest patch version instead of local feed.
Attempting to update local package with remote metadata...
No Remote Metadata Provider was found for "https://api.nuget.org/v3/index.json"
Detecting vulnerabilities for "Microsoft.Identity.Client" version "4.66.0"...
Found 0 vulnerabilities.
Searching policies associated with feed "approved-nugets"...
Found 1 policy to use for analysis.
No policies define a latest patch, so latest patch will not be checked.Here's the query I ran:
SELECT Package_Name,PackageType_Name,Package_Version,Title_Text,External_Id,License_Id FROM PackageLicenses_Extended WHERE Package_Name LIKE 'Microsoft.Identity.Client%' ORDER BY Package_Name,Package_VersionAnd here is part of the query results:
Microsoft.Identity.Client nuget 4.61.1 MIT License MIT 186
Microsoft.Identity.Client nuget 4.61.2 MIT License MIT 186
Microsoft.Identity.Client nuget 4.61.3 MIT License MIT 186
Microsoft.Identity.Client nuget 4.62.0 MIT License MIT 186
Microsoft.Identity.Client nuget 4.63.0 MIT License MIT 186
Microsoft.Identity.Client nuget 4.7.1 MIT License MIT 186It almost looks as if ProGet is falling back to the last available license for the package. At the moment, the UI does appear to be consistent with the database data in part.
Would you have any recommendations on how to get the package license information properly updated in the database so the UI removes it from the unlicensed listing?
-
Hi @davidroberts63 ,
Thanks for digging into this further and providing those logs; looking over the code, I'm think that you must have the licenses feed feature enabled?
This setting is on the manage feed page.
When that feature is enabled, we should see logs like:
Detecting licenses for {package}...Found {licensesCount} licenses: {licenseCodes}
The info is also recorded in the database in the same block.
I can't say why you have other records; they may have come from other feeds, or maybe the feature was disabled later on... the
PackageLicenses23table is not feed specific.anyway let us know what you discover; it's a little weird to see the behavior, so we would like to confirm and twaeak the UI a little bit to make it clearer
Thanks,
Alana
-
Ahh, that was it. I explicitly enabled the license detection on that feed, reanalyzed it and noticed it found a license. That package and others are being reanalyzed and falling off that list. Thank you for that.
I believe this occurred due to some confusion in the UI. When I originally looked at the feed settings I saw this:
Which indicated to me the license detection was enabled. However when clicking 'change' that option was not ticked. Ticking that checkbox now shows the green checkmark with the same text and the rest of the license checking seems to be working as expected.
That initial text (screenshot from above) is very confusing. Because it literally says license detection enabled. Rather than 'License detection disabled', like the vulnerability detection says when it is disabled on some of our feeds. If it is possible to change that text to reflect the actual status I think that could be helpful to others.
Thank you Alana for your help it is greatly appreciated.
-
@davidroberts63 thanks for figuring that one out, that's definitely bug...
... box style was correct, but enabled/disabled text looked at wrong property
Easy fix, difficult to spot!
