feature: add support for allowlists (#123)

* feature: add support for allowlists

This adds supports for denying all packages, and only allow selected ones by implementing support for `mode: "allow"`.

Such as:

```
rules:
  - pattern: "BSD-*"
    name: "bsd-allow"
  - pattern: "*"
    name: "default-deny-all"
    mode: "deny"
```

Signed-off-by: Mikail Kocak <mikail-gh@pm.me>

* test: add nonspdx default licenses test

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>

* chore: add ignore as an "allow"

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>

* feat: update policy

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>

---------

Signed-off-by: Mikail Kocak <mikail-gh@pm.me>
Signed-off-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>

Author: NyanKiyoshi

README.md

@@ -94,6 +94,9 @@ It can also be used to allow specific licenses, denying all others.
 ![json-output](https://github.com/anchore/grant/assets/32073428/c2d89645-e323-4f99-a179-77e5a750ee6a)
 
 ## Configuration
+
+### Example: Deny GPL
+
 ```yaml
 #.grant.yaml
 config: ".grant.yaml"
@@ -109,3 +112,28 @@ rules:
       exclusions:
         - "alpine-base-layout" # We don't link against this package so we don't care about its license
 ```
+
+### Example: Allow Lists
+
+In this example, all licenses are denied except BSD and MIT:
+
+```yaml
+#.grant.yaml
+rules:
+  - pattern: "BSD-*"
+    name: "bsd-allow"
+    mode: "allow"
+    reason: "BSD is compatible with our project"
+    exceptions:
+      # Packages to disallow even if they are licensed under BSD.
+      - my-package
+  - pattern: "MIT"
+    name: "mit-allow"
+    mode: "allow"
+    reason: "MIT is compatible with our project"
+  # Reject the rest.
+  - pattern: "*"
+    name: "default-deny-all"
+    mode: "deny"
+    reason: "All licenses need to be explicitly allowed"
+```

grant/evalutation/license_evaluation_test.go

@@ -1,6 +1,8 @@
 package evalutation
 
 import (
+	"github.com/gobwas/glob"
+	"github.com/google/go-cmp/cmp"
 	"testing"
 
 	"github.com/anchore/grant/grant"
@@ -43,3 +45,154 @@ func Test_NewLicenseEvaluations(t *testing.T) {
 func fixtureCase(fixturePath string) []grant.Case {
 	return grant.NewCases(fixturePath)
 }
+
+func Test_checkLicense(t *testing.T) {
+	tests := []struct {
+		name    string
+		config  EvaluationConfig
+		license grant.License
+		wants   struct {
+			Pass    bool
+			Reasons []Reason
+		}
+	}{
+		{
+			name:    "should reject denied licenses when SPDX expressions and CheckNON SPDX is False",
+			license: grant.License{ID: "MIT", SPDXExpression: "MIT", LicenseID: "MIT"},
+			// Only allow OSI licenses.
+			config: EvaluationConfig{CheckNonSPDX: false, Policy: grant.DefaultPolicy().SetMatchNonSPDX(false)},
+			wants: struct {
+				Pass    bool
+				Reasons []Reason
+			}{
+				Pass: false,
+				Reasons: []Reason{{
+					Detail:   ReasonLicenseDeniedPolicy,
+					RuleName: "default-deny-all",
+				}},
+			},
+		},
+		{
+			name:    "should reject denied licenses when CheckNonSPDX is also true",
+			license: grant.License{Name: "foobar"},
+			// Only allow OSI licenses.
+			config: EvaluationConfig{CheckNonSPDX: true, Policy: grant.DefaultPolicy().SetMatchNonSPDX(true)},
+			wants: struct {
+				Pass    bool
+				Reasons []Reason
+			}{
+				Pass: false,
+				Reasons: []Reason{{
+					Detail:   ReasonLicenseDeniedPolicy,
+					RuleName: "default-deny-all",
+				}},
+			},
+		},
+		{
+			name: "non-OSI approved licenses should be denied when EvaluationConfig.OsiApproved is true",
+			license: grant.License{
+				IsOsiApproved:  false,
+				LicenseID:      "AGPL-1.0-only",
+				SPDXExpression: "AGPL-1.0-only",
+			},
+			// Only allow OSI licenses.
+			config: EvaluationConfig{OsiApproved: true},
+			wants: struct {
+				Pass    bool
+				Reasons []Reason
+			}{
+				Pass: false,
+				Reasons: []Reason{{
+					Detail:   ReasonLicenseDeniedOSI,
+					RuleName: RuleNameNotOSIApproved,
+				}},
+			},
+		},
+		{
+			name: "non-OSI approved licenses should be allowed when it's not an SPDX expression",
+			license: grant.License{
+				IsOsiApproved: false,
+				// Non-SPDX license
+				Name: "AGPL-1.0-only",
+			},
+			// Only allow OSI licenses.
+			config: EvaluationConfig{OsiApproved: true},
+			wants: struct {
+				Pass    bool
+				Reasons []Reason
+			}{
+				Pass:    true,
+				Reasons: []Reason{{Detail: ReasonLicenseAllowed}},
+			},
+		},
+		{
+			name: "non-OSI approved licenses should be allowed when EvaluationConfig.OsiApproved is false",
+			license: grant.License{
+				IsOsiApproved:  false,
+				LicenseID:      "AGPL-1.0-only",
+				SPDXExpression: "AGPL-1.0-only",
+			},
+			config: EvaluationConfig{},
+			wants: struct {
+				Pass    bool
+				Reasons []Reason
+			}{
+				Pass:    true,
+				Reasons: []Reason{{Detail: ReasonLicenseAllowed}},
+			},
+		},
+		{
+			// Verifies rules are evaluated from first to last.
+			name:    "A 'Deny' rule preceding a 'Deny' rule should always take precedence",
+			license: grant.License{LicenseID: "BSD-3-Clause", SPDXExpression: "BSD-3-Clause"},
+			config: EvaluationConfig{
+				Policy: grant.Policy{
+					Rules: []grant.Rule{
+						{
+							Name:       "allow-bsd-licenses",
+							Glob:       glob.MustCompile("bsd-*"),
+							Exceptions: []glob.Glob{},
+							Mode:       grant.Allow,
+							Reason:     "BSD licenses are allowed",
+						},
+						{
+							Name:       "deny-all",
+							Glob:       glob.MustCompile("*"),
+							Exceptions: []glob.Glob{},
+							Mode:       grant.Deny,
+							Reason:     "No 'Allow' rule matched, unknown licenses are not allowed.",
+						},
+					},
+				},
+			},
+			wants: struct {
+				Pass    bool
+				Reasons []Reason
+			}{
+				Pass: true,
+				Reasons: []Reason{{
+					Detail:   ReasonLicenseAllowed,
+					RuleName: "allow-bsd-licenses",
+				}},
+			},
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			result := checkLicense(tc.config, &grant.Package{}, tc.license)
+			if tc.wants.Pass != result.Pass {
+				t.Errorf("Expected Pass to be %t, got %t", tc.wants.Pass, result.Pass)
+			}
+			if diff := cmp.Diff(tc.license, result.License); diff != "" {
+				t.Errorf("Mismatched 'License' field (-want +got):\n%s", diff)
+			}
+			if diff := cmp.Diff(tc.config.Policy, result.Policy); diff != "" {
+				t.Errorf("Mismatched 'Policy' field (-want +got):\n%s", diff)
+			}
+			if diff := cmp.Diff(tc.wants.Reasons, result.Reason); diff != "" {
+				t.Errorf("Mismatched 'Reasons' field (-want +got):\n%s", diff)
+			}
+		})
+	}
+}

grant/evalutation/license_evalutation.go

@@ -44,19 +44,6 @@ func checkSBOM(ec EvaluationConfig, sb sbom.SBOM) LicenseEvaluations {
 }
 
 func checkLicense(ec EvaluationConfig, pkg *grant.Package, l grant.License) LicenseEvaluation {
-	if !l.IsSPDX() && ec.CheckNonSPDX {
-		if denied, rule := ec.Policy.IsDenied(l, pkg); denied {
-			var reason Reason
-			if rule != nil {
-				reason = Reason{
-					Detail:   ReasonLicenseDeniedPolicy,
-					RuleName: rule.Name,
-				}
-			}
-			return NewLicenseEvaluation(l, pkg, ec.Policy, []Reason{reason}, false)
-		}
-	}
-
 	if ec.OsiApproved && l.IsSPDX() {
 		if !l.IsOsiApproved {
 			return NewLicenseEvaluation(l, pkg, ec.Policy, []Reason{{
@@ -65,20 +52,24 @@ func checkLicense(ec EvaluationConfig, pkg *grant.Package, l grant.License) Lice
 			}}, false)
 		}
 	}
-	if denied, rule := ec.Policy.IsDenied(l, pkg); denied {
-		var reason Reason
-		if rule != nil {
-			reason = Reason{
-				Detail:   ReasonLicenseDeniedPolicy,
-				RuleName: rule.Name,
-			}
-		}
-		return NewLicenseEvaluation(l, pkg, ec.Policy, []Reason{reason}, false)
+
+	isDenied, matchedRule := ec.Policy.IsDenied(l, pkg)
+
+	// By default, we allow unmatched rules.
+	detail := ReasonLicenseAllowed
+	ruleName := ""
+
+	if isDenied {
+		detail = ReasonLicenseDeniedPolicy
+	}
+	if matchedRule != nil {
+		ruleName = matchedRule.Name
 	}
 
 	return NewLicenseEvaluation(l, pkg, ec.Policy, []Reason{{
-		Detail: ReasonLicenseAllowed,
-	}}, true)
+		Detail:   detail,
+		RuleName: ruleName,
+	}}, !isDenied)
 }
 
 type LicenseEvaluations []LicenseEvaluation

grant/policy.go

@@ -50,6 +50,12 @@ func (p Policy) IsEmpty() bool {
 // IsDenied returns true if the given license is denied by the policy
 func (p Policy) IsDenied(license License, pkg *Package) (bool, *Rule) {
 	for _, rule := range p.Rules {
+		// ignore non spdx licenses if the rule is configured to not match on non spdx
+		isSPDX := license.IsSPDX()
+		matchNonSPDX := p.MatchNonSPDX
+		if !matchNonSPDX && !isSPDX {
+			continue
+		}
 		var toMatch string
 		if license.IsSPDX() {
 			toMatch = strings.ToLower(license.LicenseID)
@@ -62,7 +68,7 @@ func (p Policy) IsDenied(license License, pkg *Package) (bool, *Rule) {
 		if rule.Glob.Match(toMatch) && toMatch != "" {
 			var returnVal bool
 			// set the return value based on the rule mode
-			if rule.Mode == Allow {
+			if rule.Mode == Allow || rule.Mode == Ignore {
 				returnVal = false
 			} else {
 				returnVal = true
@@ -72,14 +78,18 @@ func (p Policy) IsDenied(license License, pkg *Package) (bool, *Rule) {
 			}
 			for _, exception := range rule.Exceptions {
 				if exception.Match(pkg.Name) {
-					// flip the return value based on the exception
-					returnVal = !returnVal
-
-					return returnVal, &rule
+					return rule.Mode != Deny, &rule
 				}
 			}
-			return returnVal, &rule
+			// true when Mode=Deny, false otherwise
+			return rule.Mode == Deny, &rule
 		}
 	}
 	return false, nil
 }
+
+// SetMatchNonSPDX updates the match option for the given policy
+func (p Policy) SetMatchNonSPDX(matchNonSPDX bool) Policy {
+	p.MatchNonSPDX = matchNonSPDX
+	return p
+}

grant/policy_test.go

@@ -75,7 +75,7 @@ func Test_NewPolicy(t *testing.T) {
 	}
 }
 
-func Test_Policy_DenyAll(t *testing.T) {
+func Test_Policy_IsDenied(t *testing.T) {
 	tests := []struct {
 		name string
 		p    Policy
@@ -101,6 +101,57 @@ func Test_Policy_DenyAll(t *testing.T) {
 				},
 			},
 		},
+
+		{
+			name: "Policy allowing all licenses",
+			p: Policy{
+				Rules: []Rule{{
+					Name:       "allow-all",
+					Glob:       glob.MustCompile("*"),
+					Exceptions: []glob.Glob{},
+					Mode:       Allow,
+					Reason:     "all licenses are allowed",
+				}},
+			},
+			want: struct {
+				denied bool
+				rule   *Rule
+			}{
+				denied: false,
+				rule: &Rule{
+					Name:       "allow-all",
+					Glob:       glob.MustCompile("*"),
+					Exceptions: []glob.Glob{},
+					Mode:       Allow,
+					Reason:     "all licenses are allowed",
+				},
+			},
+		},
+		{
+			name: "Policy ignoring all licenses",
+			p: Policy{
+				Rules: []Rule{{
+					Name:       "ignore-all",
+					Glob:       glob.MustCompile("*"),
+					Exceptions: []glob.Glob{},
+					Mode:       Ignore,
+					Reason:     "all licenses are ignored",
+				}},
+			},
+			want: struct {
+				denied bool
+				rule   *Rule
+			}{
+				denied: false,
+				rule: &Rule{
+					Name:       "ignore-all",
+					Glob:       glob.MustCompile("*"),
+					Exceptions: []glob.Glob{},
+					Mode:       Ignore,
+					Reason:     "all licenses are ignored",
+				},
+			},
+		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {