Deny license option not working? about dependency-review-action HOT 4 CLOSED

FWIW, I moved my action into the same repository and get same issue. Just wanted to rule out the reusable workflow as a reason.

from dependency-review-action.

@markphip Thanks for the report! This repo has no license assigned according to the API we're using:

$ gh api -H "Accept: application/vnd.github.v3+json" /repos/future-funk/ubiquitous-enigma/dependency-graph/compare/main...adding-req
[
  {
    "change_type": "added",
    "manifest": "requirements.txt",
    "ecosystem": "pip",
    "name": "git-deps",
    "version": "\u003e= 1.1.0",
    "package_url": "",
    "license": null,
    "source_repository_url": "https://github.com/aspiers/git-deps",
    "vulnerabilities": []
  }
]

I'm not sure why that is the case, but thanks to this report I'm realizing that our error reporting on unknown licenses is only happening when faulty licenses are found. I'll update the ticket once I fix this!

from dependency-review-action.

@markphip I've updated the Action to print a message when the license for a project is unknown:

I know this is not ideal, and I hope it's a temporary thing. I hope we can mitigate this in a future release by getting more license data using the Licenses API or by improving the licensing info available in that API request.

from dependency-review-action.

That will help understand. I think it is a good change. Thanks

from dependency-review-action.