FIX: Missing package not reporting as inconclusive in build analysis
Created:
5/14/2024 11:36:39 PM by Alana Tripp
Status:
Awaiting Release on 5/17/2024 2:53:27 PM
Last pulled:
5/17/2024 9:37:15 PM
Description:
See:
https://forums.inedo.com/topic/4152/proget-sca-2024-preview-feedback-package-detection-still-hit-or-miss/16
Two issues: (1) package name is not logged, (2) result is not inconclusive
--------
Create a SBOM with a package not in ProGet (e.g. FakeAutoMapper-1.0.0) package, then analyze. It should be inclusive and document the package name. It does not seem to do that:
```
Analyzing compliance...
Beginning license rule analysis...
Default rules: undectableLicense=Warn, unspecifiedLicense=Compliant
The package is not cached or local to any feed; without package metadata, license detection is limited.
No licenses detected on package; applying undectableLicense rule (Warn)
License rule analysis complete.
The package is not cached or local to any feed; cannot determine if Deprecated.
No policies define a deprecation rule, so default Warn will be used.
The package is not cached or local to any feed; cannot determine if Unlisted.
No policies define an unlisted rule, so default Warn will be used.
Package is Warn because of Package Status is Unlisted, Package Status is Deprecated, No license detected.
```