No way to deny all licenses while allowing specific ones

[tapanagupta]

Hello,

I'm trying to create a .grant.yaml config file that would achieve the following behavior: Deny all licenses except for the ones that have corresponding 'allow' rules in .grant.yaml.

First, I tried to specify allow rules for specific licenses, as shown below, expecting that non-matching licenses would be denied. However, the resulting output allowed ALL licenses.

#.grant.yaml
config: ".grant.yaml"
format: json # table, json
show-packages: true # show the packages which contain the licenses --show-packages
non-spdx: true # list only licenses that could not be matched to an SPDX identifier --non-spdx
osi-approved: true # highlight licenses that are not OSI approved --osi-approved
rules: 
    - pattern: "LGPL"
      name: "allow-lgpl"
      mode: "allow"
      reason: "LGPL is good."

Next, I tried to specify a 'deny all' rule alongside the allow rule, but this time ALL licenses were denied.

#.grant.yaml
config: ".grant.yaml"
format: json # table, json
show-packages: true # show the packages which contain the licenses --show-packages
non-spdx: true # list only licenses that could not be matched to an SPDX identifier --non-spdx
osi-approved: true # highlight licenses that are not OSI approved --osi-approved
rules:
    - pattern: "LGPL"
      name: "allow-lgpl"
      mode: "allow"
      reason: "LGPL is good."
    - pattern: "**"
      name: "deny-all"
      mode: "deny"
      reason: "Deny everything by default."

Below is the command used for running the tests (SBOM from Syft fed as input):

grant check -o json syft.spdx-json.json | jq > grant.json

In general, from my testing, I observed that when Grant is supplied with a config file, it allows all licenses by default, but when not supplied with a config file, it denies all licenses by default.

From the Grant documentation:

Grant can be used to deny specific licenses while allowing all others. It can also be used to allow specific licenses, denying all others.

Question is, how do I achieve the latter, i.e. allow specific licenses while denying all others? Thank you for looking into this issue.

[spiffcs]

Thanks @tapanagupta! I'll take a look at this right away because this is definitely not behaving as expected. ** should be a valid rule - does * also fail for your as well?

Here is our integration test for denial on an empty config:
https://github.com/anchore/grant/blob/main/test/cli/check_test.go

I'll get this fleshed out with your case and a bit more cases so this feature is behaving as expected.

[tapanagupta]

Thanks for looking into this, @spiffcs! To answer your question, I ran a test using * instead of ** and got the same result.

Looking forward to further updates on this.

[willpxxr]

Looks like only denies have been implemented per

grant/grant/policy.go

Line 54 in 260752c

if rule.Mode != Deny {

There is also a comment above in the policy struct w/ a todo for that feature

grant/grant/policy.go

Line 10 in 260752c

// TODO: maybe there should be a strict option that denies all and then only allows what is explicitly allowed

So it looks like it's not possible to implement a deny by default and allow list licenses right now.