ci-license-scan does not fail on UNKNOWN

Affected images versions

Not relevant, this bug affects our ci-license-scan pipeline.

Steps to reproduce

Run a new pipeline on the v2024dev2 branch of aom.

Expected result

scan-licenses should fail with UNKNOWN license error

Actual result

scan-licenses passes and debian/apertis/copyright reports UNKNOWN licenses.

https://gitlab.apertis.org/pkg/aom/-/blob/apertis/v2024dev2/debian/apertis/copyright

Reproducibility

How often the issue is hit when repeating the test and changing nothing (same device, same image, etc.)?

Put the ✅ in the most appropriate entry:

1. ✅ always
2. often, but not always
3. rarely

Impact of bug

This bug is blocking the rebase since we cannot move packages to target and license scan is reporting UNKNOWN licenses for packages in target.

Attachments

NA

Root cause

When license scanner returns UNKNOWN license, it uses Files: * paragraph of debian/copyright and use it as the default license and dumps this data in debian/apertis/copyright.new. It compares the original debian/apertis/copyright and modified copyright debian/apertis/copyrigh.new files. If it differs it returns error.

So when UNKNOWN license is reported, the original and modified files show a diff and the license scan pipeline fails with UNKNOWN license error. This is the behavior in bullseye python-debian version 0.1.39. In bookworm version 0.1.49 the UNKNOWN license is not replaced by the license in debian/copyright. So both the original and modified copyright files are same and the pipelines passes. The issue is caused by commit https://salsa.debian.org/python-debian-team/python-debian/-/commit/e7990d2ab83057a2aaf7851f4250f1072f6fee8c. As a workaround revert it for the license scanner to report correct licenses.

Report this issue to upstream with a reproducible test case.

After more research, the root cause is that python-debian has changed the internal data structured and with this change, the logic we had does not apply.

Outcomes

• pkg/python-debian!4 (merged)
• pkg/python-debian!5 (merged)
• apertis-docker-images!288 (closed)
• apertis-docker-images!292 (merged)

Management data

This section is for management only, it should be the last one in the description.

/cc @andrunko @em @sagar @sudarshan @wlozano

Phabricator link: https://phabricator.apertis.org/T9737