Poetry
new Dulwich dependency is getting flagged by Sonatype scanner - License #6298
Unanswered
Imaclean74
asked this question in
General
Replies: 2 comments 1 reply
-
|
Dulwich is, as you say, dual licensed: either Apache 2.0 or GPL. So you can just choose Apache and should fix any tooling that objects to this. Clearly not a poetry bug. |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
I'm migrating this to a discussion as there is nothing Poetry can do here, but others may find documentation of steps taken to make this work in your corporation useful. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
cheers - that makes more sense. I'll update here as and when we find a solution / workaround. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
This isn't strictly speaking a poetry bug - but flagging here since it might be affecting others. Like many large companies, we're using an internal pypi mirror using sonatype. This mirror flags various "vulnerabilities" and will block the download of flagged packages. In this case Dulwich is being flagged since it's dual licenced - and the scanner is configured to reject GPL licensed packages :(
This prevents Poetry being installed via pipx.
I'll see what the options are to potentially whitelist it internally. But logging this here in case others are hitting the same issue. And / or if there are any alternative libraries available for managing git repos with more favorable licensing. Favorable for corporate use that is.
https://help.sonatype.com/docs
Beta Was this translation helpful? Give feedback.
All reactions