From 685f9248e4ae671f4295af4dd9dd83f7089e2886 Mon Sep 17 00:00:00 2001 From: Ramon Roche Date: Thu, 2 Apr 2026 15:00:50 +0000 Subject: [PATCH] fix(sbom): fix false positives in monthly license audit Three issues caused the monthly audit to report already-resolved submodules: 1. The audit workflow grepped for "NOASSERTION" anywhere in the output, matching the Detected column even when the Final column had a valid override (e.g. libtomcrypt detected as NOASSERTION but overridden to Unlicense). Changed to grep for "<-- UNRESOLVED" marker instead. 2. Submodules with an explicit NOASSERTION override in license-overrides.yaml (like libfc-sensor-api, which is proprietary) were still counted as failures. Now treated as "acknowledged" since someone intentionally added the override entry. 3. Added missing BSD-3-Clause override for sitl_gazebo-classic (PX4 org project with no LICENSE file in repo). Fixes #26932 Signed-off-by: Ramon Roche --- .github/workflows/sbom_monthly_audit.yml | 6 +++--- Tools/ci/generate_sbom.py | 10 +++++++--- Tools/ci/license-overrides.yaml | 6 ++++++ 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/.github/workflows/sbom_monthly_audit.yml b/.github/workflows/sbom_monthly_audit.yml index 793ae95835..418ab5e22c 100644 --- a/.github/workflows/sbom_monthly_audit.yml +++ b/.github/workflows/sbom_monthly_audit.yml @@ -39,10 +39,10 @@ jobs: - name: Check for issues id: check run: | - if grep -q "NOASSERTION" /tmp/sbom-verify.txt; then + if grep -q "<-- UNRESOLVED" /tmp/sbom-verify.txt; then echo "has_issues=true" >> "$GITHUB_OUTPUT" - # Extract NOASSERTION lines - grep "NOASSERTION" /tmp/sbom-verify.txt | grep -v "skipped" > /tmp/sbom-issues.txt || true + # Extract only genuinely unresolved license lines + grep "<-- UNRESOLVED" /tmp/sbom-verify.txt > /tmp/sbom-issues.txt || true # Extract copyleft lines sed -n '/Copyleft licenses detected/,/^$/p' /tmp/sbom-verify.txt > /tmp/sbom-copyleft.txt || true else diff --git a/Tools/ci/generate_sbom.py b/Tools/ci/generate_sbom.py index 288f089983..cbca30db39 100755 --- a/Tools/ci/generate_sbom.py +++ b/Tools/ci/generate_sbom.py @@ -478,6 +478,7 @@ def verify_licenses(source_dir): sub_dir = source_dir / sub_path checked_out = sub_dir.is_dir() and any(sub_dir.iterdir()) + has_explicit_override = sub_path in license_overrides if not checked_out: detected = "(not checked out)" override = license_overrides.get(sub_path, "") @@ -487,9 +488,12 @@ def verify_licenses(source_dir): override = license_overrides.get(sub_path, "") final = override if override else detected - if final == "NOASSERTION" and checked_out: + if final == "NOASSERTION" and has_explicit_override: + # Explicitly acknowledged in overrides file — not a failure + marker = " (acknowledged)" + elif final == "NOASSERTION" and checked_out: has_noassertion = True - marker = " <-- NOASSERTION" + marker = " <-- UNRESOLVED" elif final == "NOASSERTION" and not checked_out: marker = " (skipped)" else: @@ -521,7 +525,7 @@ def verify_licenses(source_dir): print() if has_noassertion: - print("FAIL: Some submodules resolved to NOASSERTION. " + print("FAIL: Some submodules have unresolved licenses. " "Add an entry to Tools/ci/license-overrides.yaml or check the LICENSE file.") return 1 diff --git a/Tools/ci/license-overrides.yaml b/Tools/ci/license-overrides.yaml index e08aeaeb7b..54457c7fad 100644 --- a/Tools/ci/license-overrides.yaml +++ b/Tools/ci/license-overrides.yaml @@ -9,6 +9,12 @@ overrides: license: "LGPL-3.0-only AND MIT" comment: "Generator is LGPL-3.0; PX4 ships only MIT-licensed generated headers." + Tools/simulation/gazebo-classic/sitl_gazebo-classic: + license: "BSD-3-Clause" + comment: >- + PX4 org project. No LICENSE file in repo; source files carry + BSD-3-Clause headers consistent with the PX4 project license. + src/lib/cdrstream/cyclonedds: license: "EPL-2.0 OR BSD-3-Clause" comment: >-