Given we have a source branch (main) and a feature branch (feature-1).
feature-1 is based upon main.
On main there is a not yet remediated finding: dependencyA uses unapproved license AGPL.
In that scenario running fossa test --diff only fails when feature-1 introduces new findings.
However an update of dependencyA on feature-1 also causes fossa test --diff to fail.
Despite being the same dependency with the same license, just another version.
To Reproduce
- create a source branch
- create a license compliance violation
- run
fossa analyze for source branch
- create a new branch from source branch
- update the dependency that causes the violation
- run
fossa analyze for the new branch
- run
fossa test --diff for the revisions of the branches
Expected behavior
Even if the finding is not remediated on source branch yet, a "diff" command should not find a difference if source of non-compliance is the same for both diffed versions. Same dependency, same license, same violation.
Additional context
I admit it's more of an edge case, as findings on main or production branches should always be remediated asap. But in our case the command broke the CI/CD pipeline effectively preventing us from rolling out hotfix updates within the timeframe requested by a customer.
Given we have a source branch (
main) and a feature branch (feature-1).feature-1is based uponmain.On
mainthere is a not yet remediated finding:dependencyAuses unapproved license AGPL.In that scenario running
fossa test --diffonly fails whenfeature-1introduces new findings.However an update of
dependencyAonfeature-1also causesfossa test --diffto fail.Despite being the same dependency with the same license, just another version.
To Reproduce
fossa analyzefor source branchfossa analyzefor the new branchfossa test --difffor the revisions of the branchesExpected behavior
Even if the finding is not remediated on source branch yet, a "diff" command should not find a difference if source of non-compliance is the same for both diffed versions. Same dependency, same license, same violation.
Additional context
I admit it's more of an edge case, as findings on
mainor production branches should always be remediated asap. But in our case the command broke the CI/CD pipeline effectively preventing us from rolling out hotfix updates within the timeframe requested by a customer.