Open
Description
Describe the bug
We are hoping to use allow-dependencies-licenses to ignore internal org dependencies. Doing so seems to still warn on the fact that no licenses were found:
I cannot post more information due to internal details leakage, but the 42 count are all internal and part of the allow-dependencies-licenses config. We are able to skip the check for those that do have a license.
To Reproduce
Steps to reproduce the behavior:
- Add a package (we tried maven) known to have no licenses to
allow-dependencies-licenses. We used an internal one - Check the output, the warn section still mentions the package
Expected behavior
Ignoring a license should not warn that there is no license.
Version
- name: Scan
uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3
Example
- name: Scan
uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3
with:
allow-dependencies-licenses: 'pkg:maven/<org>/<pkg>, pkg:maven/org.springframework.retry/spring-retry@2.0.11'
The first one shows up in the warnings, the second is skipped.