From 32093a2ba2a445dd5bd0f93cf47b2446186ce95e Mon Sep 17 00:00:00 2001 From: Christopher Phillips Date: Tue, 2 Aug 2022 22:15:08 -0400 Subject: [PATCH 1/3] remove blanket allow Signed-off-by: Christopher Phillips --- .bouncer.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.bouncer.yaml b/.bouncer.yaml index 492f4a2cf37..36911448f5f 100644 --- a/.bouncer.yaml +++ b/.bouncer.yaml @@ -5,7 +5,6 @@ permit: - MPL.* - ISC ignore-packages: - - . # packageurl-go is released under the MIT license located in the root of the repo at /mit.LICENSE - github.com/anchore/packageurl-go @@ -49,4 +48,4 @@ ignore-packages: - modernc.org/libc/uuid/uuid - modernc.org/libc/wctype - modernc.org/mathutil - - modernc.org/memory \ No newline at end of file + - modernc.org/memory From 88b87f13b82aa4d4ff41af80d9764a31f4d8eb89 Mon Sep 17 00:00:00 2001 From: Christopher Phillips Date: Tue, 2 Aug 2022 22:23:47 -0400 Subject: [PATCH 2/3] update bouncer check command to factor in all go files Signed-off-by: Christopher Phillips --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index b67f9740667..c1d20c24a7f 100644 --- a/Makefile +++ b/Makefile @@ -147,7 +147,7 @@ lint-fix: ## Auto-format all source code + run golangci lint fixers .PHONY: check-licenses check-licenses: ## Ensure transitive dependencies are compliant with the current license policy - $(TEMPDIR)/bouncer check ./cmd/syft + $(TEMPDIR)/bouncer check ./... check-go-mod-tidy: @ .github/scripts/go-mod-tidy-check.sh && echo "go.mod and go.sum are tidy!" From da65bb126bd5fc2ba1c0766f0afe46461429912f Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Wed, 3 Aug 2022 09:22:44 -0400 Subject: [PATCH 3/3] Add allowed licenses and mod replace for syslabs/squashfs Signed-off-by: Keith Zantow --- .bouncer.yaml | 3 +++ go.mod | 4 +++- go.sum | 6 ++---- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/.bouncer.yaml b/.bouncer.yaml index 36911448f5f..71f3cfc7af8 100644 --- a/.bouncer.yaml +++ b/.bouncer.yaml @@ -1,9 +1,12 @@ permit: - BSD.* + - CC0.* - MIT.* - Apache.* - MPL.* - ISC + - WTFPL + ignore-packages: # packageurl-go is released under the MIT license located in the root of the repo at /mit.LICENSE - github.com/anchore/packageurl-go diff --git a/go.mod b/go.mod index 531cf36b740..5d587802421 100644 --- a/go.mod +++ b/go.mod @@ -216,7 +216,6 @@ require ( github.com/prometheus/client_model v0.2.0 // indirect github.com/prometheus/common v0.34.0 // indirect github.com/prometheus/procfs v0.7.3 // indirect - github.com/rasky/go-lzo v0.0.0-20200203143853-96a758eda86e // indirect github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect github.com/rivo/uniseg v0.2.0 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect @@ -324,3 +323,6 @@ require ( github.com/pkg/errors v0.9.1 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d // indirect ) + +// Forked to remove https://github.com/rasky/go-lzo dependency, which is GPLv2 licensed. +replace github.com/CalebQ42/squashfs => github.com/sylabs/squashfs v0.5.5-0.20220526223455-67e0f4cd95c5 diff --git a/go.sum b/go.sum index 30a648a72d3..efc09dde923 100644 --- a/go.sum +++ b/go.sum @@ -162,8 +162,6 @@ github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbi github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/CalebQ42/GoAppImage v0.5.0 h1:znoKNXtliH754tS9sYwyOIg/0wFDjFN5Twc7PAh1rSM= github.com/CalebQ42/GoAppImage v0.5.0/go.mod h1:qHudJKAn/dlkNWNnH4h1YKXp29EZ7Bppsn7sNP2HuvU= -github.com/CalebQ42/squashfs v0.5.4 h1:Ju5EwUob8j3ShkhqqYZzaX8wB9j3N81o0iYQaIPXL7w= -github.com/CalebQ42/squashfs v0.5.4/go.mod h1:odzrLJgn0aKn2+xOsCH97c81DU/xZfTzeFBqV5ob2g4= github.com/CycloneDX/cyclonedx-go v0.5.2 h1:CkdGw2R/tZWmEbSypJVZG+3+2SAsDjJirfIrG/RbIVg= github.com/CycloneDX/cyclonedx-go v0.5.2/go.mod h1:nQCiF4Tvrg5Ieu8qPhYMvzPGMu5I7fANZkrSsJjl5mg= github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= @@ -1663,8 +1661,6 @@ github.com/quasilyte/go-ruleguard/rules v0.0.0-20201231183845-9e62ed36efe1/go.mo github.com/quasilyte/go-ruleguard/rules v0.0.0-20210428214800-545e0d2e0bf7/go.mod h1:4cgAphtvu7Ftv7vOT2ZOYhC6CvBxZixcasr8qIOTA50= github.com/quasilyte/regex/syntax v0.0.0-20200407221936-30656e2c4a95/go.mod h1:rlzQ04UMyJXu/aOvhd8qT+hvDrFpiwqp8MRXDY9szc0= github.com/qur/ar v0.0.0-20130629153254-282534b91770/go.mod h1:SjlYv2m9lpV0UW6K7lDqVJwEIIvSjaHbGk7nIfY8Hxw= -github.com/rasky/go-lzo v0.0.0-20200203143853-96a758eda86e h1:dCWirM5F3wMY+cmRda/B1BiPsFtmzXqV9b0hLWtVBMs= -github.com/rasky/go-lzo v0.0.0-20200203143853-96a758eda86e/go.mod h1:9leZcVcItj6m9/CfHY5Em/iBrCz7js8LcRQGTKEEv2M= github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 h1:OdAsTTz6OkFY5QxjkYwrChwuRruF69c169dPK26NUlk= github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo= @@ -1850,6 +1846,8 @@ github.com/subosito/gotenv v1.3.0 h1:mjC+YW8QpAdXibNi+vNWgzmgBH4+5l5dCXv8cNysBLI github.com/subosito/gotenv v1.3.0/go.mod h1:YzJjq/33h7nrwdY+iHMhEOEEbW0ovIz0tB6t6PwAXzs= github.com/sylabs/sif/v2 v2.7.0 h1:VFzN8alnJ/3n1JA0K9DyUtfSzezWgWrzLDcYGhgBskk= github.com/sylabs/sif/v2 v2.7.0/go.mod h1:TiyBWsgWeh5yBeQFNuQnvROwswqK7YJT8JA1L53bsXQ= +github.com/sylabs/squashfs v0.5.5-0.20220526223455-67e0f4cd95c5 h1:cFtGHruT2MgOXuJXoUsVa3YnMjWRLyfWQimYqgHfEYQ= +github.com/sylabs/squashfs v0.5.5-0.20220526223455-67e0f4cd95c5/go.mod h1:KcAcFI40g5WprgOdtjLeKjZ4cpNCwdRJPdP2jM92Slc= github.com/sylvia7788/contextcheck v1.0.4/go.mod h1:vuPKJMQ7MQ91ZTqfdyreNKwZjyUg6KO+IebVyQDedZQ= github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww= github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=