kubevirt: FOSSA check failing due to vendored GPL 2.0 dependency from containerized-data-importer

What happened: A recent investigation of why the FOSSA check started to fail in kubevirt/kubevirt suggested that the dependency containerized-data-importer in v1.42.0 introduced a GPL 2.0 dependency. This license was also seen in v1.43.0, but later versions don’t show this dependency any more.

The issue appeared the first time with commit https://github.com/kubevirt/kubevirt/commit/110c61470840dba50f64aa61381f84848b9ce602 which first showed the FOSSA failure. But it was introduced with commit https://github.com/kubevirt/kubevirt/commit/90227f26c79dd9304e1ad63fa670628021fdc151

What you expected to happen: FOSSA check should not fail due to license issues caused by GPL 2.0 dependency.

How to reproduce it (as minimally and precisely as possible): See https://github.com/kubevirt/kubevirt/#fossa-status

Additional context: n/a

Environment:

  • KubeVirt version (use virtctl version): N/A
  • Kubernetes version (use kubectl version): N/A
  • VM or VMI specifications: N/A
  • Cloud provider or hardware configuration: N/A
  • OS (e.g. from /etc/os-release): N/A
  • Kernel (e.g. uname -a): N/A
  • Install tools: N/A
  • Others: N/A

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 20 (20 by maintainers)

Most upvoted comments

Didn’t we around that time split the CDI API into its own separate repo, which would stop the import of the CDI dependencies and that is probably why this is no longer failing

+1
awels on Apr 14, 2022

FYI @fossedihelm

+1
dhiller on Apr 14, 2022
Read more comments on GitHub
← kubevirt: [flaky ci][ipv6 lane] command SyncVMI failed: LibvirtError qemu unexpectedly closed the monitor KVM: Cannot allocate memory
kubevirt: ghost record not cleanup properly causes error to find the correct launcher client →