Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enhancement(python): use one info and multiple debug logs for License acquired from METADATA... message #8160

Closed
DmitriyLewen opened this issue Dec 23, 2024 Discussed in #8159 · 8 comments · Fixed by #8175
Closed

enhancement(python): use one info and multiple debug logs for License acquired from METADATA... message #8160

DmitriyLewen opened this issue Dec 23, 2024 Discussed in #8159 · 8 comments · Fixed by #8175
Assignees
@DmitriyLewen
Labels
scan/license Issues relating to license scanning

Comments

@DmitriyLewen
Copy link
Contributor

Description

License acquired from METADATA classifiers may be subject to additional terms messages can be too noisy.
So we need to use Once to show a single Info log and move these messages to the Debug level.
See #8159 for example.

Discussed in #8159
@DmitriyLewen DmitriyLewen added the scan/license Issues relating to license scanning label Dec 23, 2024
@DmitriyLewen DmitriyLewen self-assigned this Dec 23, 2024
@sparrowt
Copy link

Thanks for promoting this to an issue. Out of interest why is it necessary to be running this license code at all when --scanners does not include license?

@DmitriyLewen
Copy link
Contributor Author

this is a feature of the cache
Trivy collects all the information about the package and puts it in the cache so that later you don't have to scan the image again

@sparrowt
Copy link

I see, maybe there shouldn't be even 1 line at INFO level unless you have the license scanner enabled?

@DmitriyLewen
Copy link
Contributor Author

There is a problem with this.
Analyzers/parsers do not have information about the scanners used.

@sparrowt
Copy link

Hum, perhaps at this stage it shouldn't log anything then (this doesn't seem like an error) and if there is something important to flag to the user then the license scanner should do this based on whatever the analyser put into the cache?

@DmitriyLewen
Copy link
Contributor Author

There are challenges with this as well because the METADATA file has 4 fields for licenses, and Trivy parses these fields in the parser and only passes the resulting values to the cache.

It will be quite problematic to determine which specific field the license was obtained from after retrieving the cache.

@sparrowt
Copy link

Interesting ok, I'm unfamiliar with the details behind License acquired from METADATA classifiers may be subject to additional terms but certainly reducing it to 1 line of output would be an improvement (thanks!)

Even seeing that one line I wouldn't really be sure what to do about it but that's a separate question!

@knqyf263
Copy link
Collaborator

The license scanner is to detect license problems. Trivy shows package information, such as package name, version, license, etc., regardless of whether the license scanning is enabled.

@DmitriyLewen DmitriyLewen mentioned this issue Dec 25, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
scan/license Issues relating to license scanning
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

refactor(python): use once + debug for License acquired from METADATA... logs DmitriyLewen/trivy
3 participants
@sparrowt @knqyf263 @DmitriyLewen