Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BackupSchedule] Cron library change #943

Open
ravi-shankar-sap opened this issue Jan 10, 2025 · 2 comments
Open

[BackupSchedule] Cron library change #943

ravi-shankar-sap opened this issue Jan 10, 2025 · 2 comments
Assignees
@ravi-shankar-sap

Comments

@ravi-shankar-sap
Copy link
Contributor

Description
The current library github.com/gorhill/cronexpr uses GPL 3.0 license.
As per SAP recommendations , GPL is Prohibited
Replace it with a library that has a more permissive license, for eg: https://github.com/adhocore/gronx

Expected result

Actual result

Steps to reproduce

Troubleshooting
@ravi-shankar-sap ravi-shankar-sap self-assigned this Jan 10, 2025
@ravi-shankar-sap ravi-shankar-sap mentioned this issue Jan 14, 2025
Closed
@ravi-shankar-sap
Copy link
Contributor Author

The cronexpr library also supports APL v2 library, so it is not required to change the library.

@ijovovic ijovovic reopened this Jan 29, 2025
@ijovovic
Copy link
Contributor

Hi @ravi-shankar-sap,

Please have a look at the security ticket: https://itsm.services.sap/sp?id=ticket&table=sc_req_item&sys_id=e89cf9e02b9f92503011f8a76e91bfd3&view=sp

We also noticed that the requested FOSS component version, "gorhill-cronexpr:v0.0.0-20180427100037-88b0669f7d75" is dual licensed under Apache-2.0 and GPL-3.0-only (https://github.com/gorhill/cronexpr/tree/88b0669f7d75f171bd612b874e52b95c190218df#license) where the author has provided the flexibility to the consumer of this FOSS for choosing any one of the 2 licenses.

However, an in-depth analysis suggested that the files example_test.go and cronexpr/main.go are distributed under GPL-3.0-only and Apache-2.0 is not applicable for these 2 files. We also believe that cronexpr/main.go significantly contributes to the functionality of the FOSS without which the FOSS will not work as expected.

Therefore, the Declared License in our catalogue for this case has chosen to be GPL-3.0-only. (Please note that in the FOSS catalogue, there can be only one Declared License for a FOSS component version and in case of multiple licenses, the most restrictive license will be chosen for ensuring the highest level of due diligence.)

Now the questions is: how exactly is this FOSS consumed in your application? Do you use the Cron expression parser as a utility? Or you use the functionality provided by the parser in your application for doing some sort of parsing?

Please explain your use case in detail based on which we can do more analysis before concluding on the final risk for your usage.

It seems that we will have to resolve it if we want to deploy to NS2 instances.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ravi-shankar-sap ravi-shankar-sap

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(NfsBackupSchedule): Replacement of cronexpr library ravi-shankar-sap/cloud-resources-manager
2 participants
@ravi-shankar-sap @ijovovic