Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Known licenses are shown as unknown
-
Hi,
In Reporting & SCA under projects, builds I can see unknown licenses but they are known:
It should show Apache 2.0.
For newer versions of this library it shows this:
But next to 'maven' in the builds list, it is still unknown also for the newer version.BTW, dependency track does find the attached license.
I am using the latest version of ProGet.
-
ProGet's license detection requires generally that a package is cached or local to ProGet in order to detect the license. When you visit the package page, a request is being made to download the metadata from the remote connector, which is how you can see the license in that case.
That being said:
- you can enable OSS Metadata Caching, which will perform these requests on remote packages -- but it's obviously a performance hit
- there is a known bug (fixed in 2025.15, releasing Friday) that causes certain URL-based licenses to not be detected (PG-3153)
Hope that helps to troubleshoot. A prerelease version of 2025.15 is vailable should be interested
Thanks,
Steve
-
Hi Steve,
the caching is enabled and the data was downloaded from maven during the night.
This shows the detected license is Apache 2.0 for the version 2.14 of the library:
But why is it still 'none' in the Metadata?
If I pull the libary version to ProGet, the license information is gone:
Looks like local packages 'forget' their license?
-
Hi @frank-benson_4606 ,
This appears to be a known issue that will be fixed in 2025.15, releasing this Friday, that causes certain URL-based licenses to not be detected (PG-3153).
If you're using Docker, you can try upgrading to
inedo/proget:25.0.15-ci.4, which should have that fix in it.Thanks,
Steve
-
Hi Steve,
no changes with the new version. I did a reanalyze by clicking 'analyze' in Build Details under Reporting & SCA.
Did I miss anything?Thanks,
Frank
-
I looked into this a bit closer now.
Looking at the commons-io-2.14.0.pom, there is no Licenses element specified. The pom should have that, and it'd be nice if the package authors added it; if you requested that via a pull request or issue in their github, I'm sure they would. That said, that's why it's not showing in ProGet.
This is why you see the unknown license detected, and that means you have to click "Assign License Type to Package" for ProGet to associate the package/license. I assume that you did that on 2.14.0, and selected Apache-2.0.
By default, that selection only applies to the specific version, and if you wanted it to apply to all versions of
commons-io(including future ones not yet published) you'd need to click on the "Apply to all versions".If you navigate to SCA > Licenses, and click on Apache-2.0, you can see the assignment to the package under the "Purls" tab. It would show:
pkg:maven/commons-io/commons-io@2.14.0for the version you selected.You will need to either do this for all versions or decide if you want to add an entry to the Package Name tab (i.e.
pkg:maven/commons-io/commons-io) under the Apache-2.0 license definition.Thanks,
Steve
-
Hi Steve,
The license is known from the parent and it is available at maven as well:
https://mvnrepository.com/artifact/commons-io/commons-io/2.14.0POM:
Maven Repository: commons-io » commons-io » 2.14.0
https://repo1.maven.org/maven2/commons-io/commons-io/2.14.0/commons-io-2.14.0.pom
-> Parent is
https://repo1.maven.org/maven2/org/apache/commons/commons-parent/62/commons-parent-62.pom
-> Parent is
https://repo1.maven.org/maven2/org/apache/apache/30/apache-30.pomThe license is included in the latter and is inherited.
Thanks,
Frank
-
Hi @frank-benson_4606 ,
Thanks for clarifying, that makes sense.
I'm afraid that ProGet does not "crawl" the parent artifacts for metadata; we had considered it, but it's rather challenging to do from an engineering standpoint, difficult to present crawler errors, and fairly uncommon.
Thanks,
Steve
