[BUG] unexpected addition of AND NOASSERTION to license when updating pywin32-ctypes

[altendky]

Describe the bug

When updating to pypi/[email protected] from 0.2.2 the license is identified as BSD-3-Clause AND NOASSERTION instead of BSD-3-Clause. The NOASSERTION is causing an unwanted failure.

I have looked at the repo (https://github.com/enthought/pywin32-ctypes/compare/v0.2.2..v0.2.3) and I am unclear what is triggering the new AND NOASSERTION. I also looked at the wheels on PyPI and did not identify any seemingly relevant changes around the license metadata or file.

To Reproduce

Chia-Network/chia-blockchain#18497

https://github.com/Chia-Network/chia-blockchain/actions/runs/10457582039/job/28957737729?pr=18497#step:3:23

full debug log

2024-08-19T16:59:49.6490327Z ##[debug]Starting: dependency-review
2024-08-19T16:59:49.6514885Z ##[debug]Cleaning runner temp folder: /home/runner/work/_temp
2024-08-19T16:59:49.6762517Z ##[debug]Starting: Set up job
2024-08-19T16:59:49.6763127Z Current runner version: '2.319.1'
2024-08-19T16:59:49.6783509Z ##[group]Operating System
2024-08-19T16:59:49.6784110Z Ubuntu
2024-08-19T16:59:49.6784414Z 22.04.4
2024-08-19T16:59:49.6784854Z LTS
2024-08-19T16:59:49.6785215Z ##[endgroup]
2024-08-19T16:59:49.6785568Z ##[group]Runner Image
2024-08-19T16:59:49.6786083Z Image: ubuntu-22.04
2024-08-19T16:59:49.6786481Z Version: 20240811.1.0
2024-08-19T16:59:49.6787440Z Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20240811.1/images/ubuntu/Ubuntu2204-Readme.md
2024-08-19T16:59:49.6788990Z Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20240811.1
2024-08-19T16:59:49.6789865Z ##[endgroup]
2024-08-19T16:59:49.6790223Z ##[group]Runner Image Provisioner
2024-08-19T16:59:49.6790807Z 2.0.374.1
2024-08-19T16:59:49.6791286Z ##[endgroup]
2024-08-19T16:59:49.6805669Z ##[group]GITHUB_TOKEN Permissions
2024-08-19T16:59:49.6807511Z Contents: read
2024-08-19T16:59:49.6807953Z Metadata: read
2024-08-19T16:59:49.6808422Z ##[endgroup]
2024-08-19T16:59:49.6811336Z Secret source: Actions
2024-08-19T16:59:49.6812064Z ##[debug]Primary repository: Chia-Network/chia-blockchain
2024-08-19T16:59:49.6812935Z Prepare workflow directory
2024-08-19T16:59:49.6877395Z ##[debug]Creating pipeline directory: '/home/runner/work/chia-blockchain'
2024-08-19T16:59:49.6880774Z ##[debug]Creating workspace directory: '/home/runner/work/chia-blockchain/chia-blockchain'
2024-08-19T16:59:49.6882366Z ##[debug]Update context data
2024-08-19T16:59:49.6886110Z ##[debug]Evaluating job-level environment variables
2024-08-19T16:59:49.7359010Z ##[debug]Evaluating job container
2024-08-19T16:59:49.7362519Z ##[debug]Evaluating job service containers
2024-08-19T16:59:49.7364945Z ##[debug]Evaluating job defaults
2024-08-19T16:59:49.7433854Z Prepare all required actions
2024-08-19T16:59:49.7590136Z Getting action download info
2024-08-19T16:59:49.8921376Z Download action repository 'actions/checkout@v4' (SHA:692973e3d937129bcbf40652eb9f2f61becf3332)
2024-08-19T16:59:49.8952886Z ##[debug]Copied action archive '/opt/actionarchivecache/actions_checkout/692973e3d937129bcbf40652eb9f2f61becf3332.tar.gz' to '/home/runner/work/_actions/_temp_981fe7ed-58e3-4028-8247-1778e7a0d0d4/4694cf47-31bf-4bd1-a06b-9c859244b0b0.tar.gz'
2024-08-19T16:59:49.9583945Z ##[debug]Unwrap 'actions-checkout-692973e' to '/home/runner/work/_actions/actions/checkout/v4'
2024-08-19T16:59:49.9736204Z ##[debug]Archive '/home/runner/work/_actions/_temp_981fe7ed-58e3-4028-8247-1778e7a0d0d4/4694cf47-31bf-4bd1-a06b-9c859244b0b0.tar.gz' has been unzipped into '/home/runner/work/_actions/actions/checkout/v4'.
2024-08-19T16:59:49.9861554Z Download action repository 'actions/dependency-review-action@v4' (SHA:5a2ce3f5b92ee19cbb1541a4984c76d921601d7c)
2024-08-19T16:59:50.1604332Z ##[debug]Download 'https://api.github.com/repos/actions/dependency-review-action/tarball/5a2ce3f5b92ee19cbb1541a4984c76d921601d7c' to '/home/runner/work/_actions/_temp_f4ea4caf-9d93-45e6-b4cd-a2975c38cd83/99ed79c9-9e65-430d-9e9f-6045d26218b4.tar.gz'
2024-08-19T16:59:50.1940611Z ##[debug]Unwrap 'actions-dependency-review-action-5a2ce3f' to '/home/runner/work/_actions/actions/dependency-review-action/v4'
2024-08-19T16:59:50.2087386Z ##[debug]Archive '/home/runner/work/_actions/_temp_f4ea4caf-9d93-45e6-b4cd-a2975c38cd83/99ed79c9-9e65-430d-9e9f-6045d26218b4.tar.gz' has been unzipped into '/home/runner/work/_actions/actions/dependency-review-action/v4'.
2024-08-19T16:59:50.2186197Z ##[debug]action.yml for action: '/home/runner/work/_actions/actions/checkout/v4/action.yml'.
2024-08-19T16:59:50.3381113Z ##[debug]action.yml for action: '/home/runner/work/_actions/actions/dependency-review-action/v4/action.yml'.
2024-08-19T16:59:50.3570294Z ##[debug]Set step '__actions_checkout' display name to: 'Checkout Repository'
2024-08-19T16:59:50.3573228Z ##[debug]Set step '__actions_dependency-review-action' display name to: 'Dependency Review'
2024-08-19T16:59:50.3574774Z Complete job name: dependency-review
2024-08-19T16:59:50.3589127Z ##[debug]Collect running processes for tracking orphan processes.
2024-08-19T16:59:50.3821824Z ##[debug]Finishing: Set up job
2024-08-19T16:59:50.4017860Z ##[debug]Evaluating condition for step: 'Checkout Repository'
2024-08-19T16:59:50.4063629Z ##[debug]Evaluating: success()
2024-08-19T16:59:50.4069305Z ##[debug]Evaluating success:
2024-08-19T16:59:50.4092717Z ##[debug]=> true
2024-08-19T16:59:50.4099431Z ##[debug]Result: true
2024-08-19T16:59:50.4133542Z ##[debug]Starting: Checkout Repository
2024-08-19T16:59:50.4248706Z ##[debug]Register post job cleanup for action: actions/checkout@v4
2024-08-19T16:59:50.4351659Z ##[debug]Loading inputs
2024-08-19T16:59:50.4359802Z ##[debug]Evaluating: github.repository
2024-08-19T16:59:50.4361067Z ##[debug]Evaluating Index:
2024-08-19T16:59:50.4363442Z ##[debug]..Evaluating github:
2024-08-19T16:59:50.4364729Z ##[debug]..=> Object
2024-08-19T16:59:50.4376648Z ##[debug]..Evaluating String:
2024-08-19T16:59:50.4377740Z ##[debug]..=> 'repository'
2024-08-19T16:59:50.4381969Z ##[debug]=> 'Chia-Network/chia-blockchain'
2024-08-19T16:59:50.4383781Z ##[debug]Result: 'Chia-Network/chia-blockchain'
2024-08-19T16:59:50.4386974Z ##[debug]Evaluating: github.token
2024-08-19T16:59:50.4387613Z ##[debug]Evaluating Index:
2024-08-19T16:59:50.4388075Z ##[debug]..Evaluating github:
2024-08-19T16:59:50.4388660Z ##[debug]..=> Object
2024-08-19T16:59:50.4389123Z ##[debug]..Evaluating String:
2024-08-19T16:59:50.4389638Z ##[debug]..=> 'token'
2024-08-19T16:59:50.4390474Z ##[debug]=> '***'
2024-08-19T16:59:50.4391072Z ##[debug]Result: '***'
2024-08-19T16:59:50.4407209Z ##[debug]Loading env
2024-08-19T16:59:50.4498140Z ##[group]Run actions/checkout@v4
2024-08-19T16:59:50.4498719Z with:
2024-08-19T16:59:50.4499215Z   repository: Chia-Network/chia-blockchain
2024-08-19T16:59:50.4500287Z   token: ***
2024-08-19T16:59:50.4500708Z   ssh-strict: true
2024-08-19T16:59:50.4501172Z   ssh-user: git
2024-08-19T16:59:50.4501582Z   persist-credentials: true
2024-08-19T16:59:50.4502032Z   clean: true
2024-08-19T16:59:50.4502484Z   sparse-checkout-cone-mode: true
2024-08-19T16:59:50.4502988Z   fetch-depth: 1
2024-08-19T16:59:50.4503393Z   fetch-tags: false
2024-08-19T16:59:50.4503826Z   show-progress: true
2024-08-19T16:59:50.4504238Z   lfs: false
2024-08-19T16:59:50.4504632Z   submodules: false
2024-08-19T16:59:50.4505063Z   set-safe-directory: true
2024-08-19T16:59:50.4505507Z ##[endgroup]
2024-08-19T16:59:50.6696489Z ##[debug]GITHUB_WORKSPACE = '/home/runner/work/chia-blockchain/chia-blockchain'
2024-08-19T16:59:50.6699959Z ##[debug]qualified repository = 'Chia-Network/chia-blockchain'
2024-08-19T16:59:50.6702179Z ##[debug]ref = 'refs/pull/18497/merge'
2024-08-19T16:59:50.6704281Z ##[debug]commit = 'd33b7a970b92141dfe40076cba2f18ac3cb4966d'
2024-08-19T16:59:50.6706187Z ##[debug]clean = true
2024-08-19T16:59:50.6707839Z ##[debug]filter = undefined
2024-08-19T16:59:50.6709489Z ##[debug]fetch depth = 1
2024-08-19T16:59:50.6711233Z ##[debug]fetch tags = false
2024-08-19T16:59:50.6712788Z ##[debug]show progress = true
2024-08-19T16:59:50.6722059Z ##[debug]lfs = false
2024-08-19T16:59:50.6725347Z ##[debug]submodules = false
2024-08-19T16:59:50.6728880Z ##[debug]recursive submodules = false
2024-08-19T16:59:50.6730660Z ##[debug]GitHub Host URL = 
2024-08-19T16:59:50.6733623Z ::add-matcher::/home/runner/work/_actions/actions/checkout/v4/dist/problem-matcher.json
2024-08-19T16:59:50.6873884Z ##[debug]Added matchers: 'checkout-git'. Problem matchers scan action output for known warning or error strings and report these inline.
2024-08-19T16:59:50.6887057Z Syncing repository: Chia-Network/chia-blockchain
2024-08-19T16:59:50.6889504Z ::group::Getting Git version info
2024-08-19T16:59:50.6891612Z ##[group]Getting Git version info
2024-08-19T16:59:50.6893264Z Working directory is '/home/runner/work/chia-blockchain/chia-blockchain'
2024-08-19T16:59:50.6895953Z ##[debug]Getting git version
2024-08-19T16:59:50.6896921Z [command]/usr/bin/git version
2024-08-19T16:59:50.6897964Z git version 2.46.0
2024-08-19T16:59:50.6899330Z ##[debug]0
2024-08-19T16:59:50.6901107Z ##[debug]git version 2.46.0
2024-08-19T16:59:50.6901994Z ##[debug]
2024-08-19T16:59:50.6904105Z ##[debug]Set git useragent to: git/2.46.0 (github-actions-checkout)
2024-08-19T16:59:50.6906226Z ::endgroup::
2024-08-19T16:59:50.6906966Z ##[endgroup]
2024-08-19T16:59:50.6923192Z ::add-mask::***
2024-08-19T16:59:50.6926491Z Temporarily overriding HOME='/home/runner/work/_temp/6c56c229-8f01-4418-a875-91c4f7ec71e1' before making global git config changes
2024-08-19T16:59:50.6929681Z Adding repository directory to the temporary git global config as a safe directory
2024-08-19T16:59:50.6932401Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/chia-blockchain/chia-blockchain
2024-08-19T16:59:50.6935182Z ##[debug]0
2024-08-19T16:59:50.6936528Z ##[debug]
2024-08-19T16:59:50.6938121Z Deleting the contents of '/home/runner/work/chia-blockchain/chia-blockchain'
2024-08-19T16:59:50.6941373Z ::group::Initializing the repository
2024-08-19T16:59:50.6943045Z ##[group]Initializing the repository
2024-08-19T16:59:50.6946122Z [command]/usr/bin/git init /home/runner/work/chia-blockchain/chia-blockchain
2024-08-19T16:59:50.7043894Z hint: Using 'master' as the name for the initial branch. This default branch name
2024-08-19T16:59:50.7045493Z hint: is subject to change. To configure the initial branch name to use in all
2024-08-19T16:59:50.7047066Z hint: of your new repositories, which will suppress this warning, call:
2024-08-19T16:59:50.7048084Z hint:
2024-08-19T16:59:50.7048692Z hint: 	git config --global init.defaultBranch <name>
2024-08-19T16:59:50.7049606Z hint:
2024-08-19T16:59:50.7050281Z hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
2024-08-19T16:59:50.7052430Z hint: 'development'. The just-created branch can be renamed via this command:
2024-08-19T16:59:50.7054206Z hint:
2024-08-19T16:59:50.7055054Z hint: 	git branch -m <name>
2024-08-19T16:59:50.7056940Z Initialized empty Git repository in /home/runner/work/chia-blockchain/chia-blockchain/.git/
2024-08-19T16:59:50.7061463Z ##[debug]0
2024-08-19T16:59:50.7063738Z ##[debug]Initialized empty Git repository in /home/runner/work/chia-blockchain/chia-blockchain/.git/
2024-08-19T16:59:50.7065747Z ##[debug]
2024-08-19T16:59:50.7067360Z [command]/usr/bin/git remote add origin https://github.com/Chia-Network/chia-blockchain
2024-08-19T16:59:50.7103469Z ##[debug]0
2024-08-19T16:59:50.7104715Z ##[debug]
2024-08-19T16:59:50.7106154Z ::endgroup::
2024-08-19T16:59:50.7106863Z ##[endgroup]
2024-08-19T16:59:50.7108425Z ::group::Disabling automatic garbage collection
2024-08-19T16:59:50.7109900Z ##[group]Disabling automatic garbage collection
2024-08-19T16:59:50.7111323Z [command]/usr/bin/git config --local gc.auto 0
2024-08-19T16:59:50.7142218Z ##[debug]0
2024-08-19T16:59:50.7143523Z ##[debug]
2024-08-19T16:59:50.7145001Z ::endgroup::
2024-08-19T16:59:50.7145773Z ##[endgroup]
2024-08-19T16:59:50.7147213Z ::group::Setting up auth
2024-08-19T16:59:50.7148130Z ##[group]Setting up auth
2024-08-19T16:59:50.7152208Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
2024-08-19T16:59:50.7180394Z ##[debug]1
2024-08-19T16:59:50.7181639Z ##[debug]
2024-08-19T16:59:50.7187617Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :"
2024-08-19T16:59:50.7547355Z ##[debug]0
2024-08-19T16:59:50.7548862Z ##[debug]
2024-08-19T16:59:50.7554373Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
2024-08-19T16:59:50.7582739Z ##[debug]1
2024-08-19T16:59:50.7583959Z ##[debug]
2024-08-19T16:59:50.7588950Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :"
2024-08-19T16:59:50.7823339Z ##[debug]0
2024-08-19T16:59:50.7824208Z ##[debug]
2024-08-19T16:59:50.7835132Z [command]/usr/bin/git config --local http.https://github.com/.extraheader AUTHORIZATION: basic ***
2024-08-19T16:59:50.7867138Z ##[debug]0
2024-08-19T16:59:50.7868264Z ##[debug]
2024-08-19T16:59:50.7876598Z ::endgroup::
2024-08-19T16:59:50.7877373Z ##[endgroup]
2024-08-19T16:59:50.7878245Z ::group::Fetching the repository
2024-08-19T16:59:50.7878903Z ##[group]Fetching the repository
2024-08-19T16:59:50.7889853Z [command]/usr/bin/git -c protocol.version=2 fetch --no-tags --prune --no-recurse-submodules --depth=1 origin +d33b7a970b92141dfe40076cba2f18ac3cb4966d:refs/remotes/pull/18497/merge
2024-08-19T16:59:51.6377128Z From https://github.com/Chia-Network/chia-blockchain
2024-08-19T16:59:51.6378122Z  * [new ref]         d33b7a970b92141dfe40076cba2f18ac3cb4966d -> pull/18497/merge
2024-08-19T16:59:51.6400994Z ##[debug]0
2024-08-19T16:59:51.6402027Z ##[debug]
2024-08-19T16:59:51.6402968Z ::endgroup::
2024-08-19T16:59:51.6403574Z ##[endgroup]
2024-08-19T16:59:51.6404458Z ::group::Determining the checkout info
2024-08-19T16:59:51.6404890Z ##[group]Determining the checkout info
2024-08-19T16:59:51.6405497Z ::endgroup::
2024-08-19T16:59:51.6405925Z ##[endgroup]
2024-08-19T16:59:51.6408401Z [command]/usr/bin/git sparse-checkout disable
2024-08-19T16:59:51.6445535Z ##[debug]0
2024-08-19T16:59:51.6446138Z ##[debug]
2024-08-19T16:59:51.6449379Z [command]/usr/bin/git config --local --unset-all extensions.worktreeConfig
2024-08-19T16:59:51.6475840Z ##[debug]0
2024-08-19T16:59:51.6476580Z ##[debug]
2024-08-19T16:59:51.6477239Z ::group::Checking out the ref
2024-08-19T16:59:51.6477632Z ##[group]Checking out the ref
2024-08-19T16:59:51.6480351Z [command]/usr/bin/git checkout --progress --force refs/remotes/pull/18497/merge
2024-08-19T16:59:51.7391851Z Note: switching to 'refs/remotes/pull/18497/merge'.
2024-08-19T16:59:51.7392517Z 
2024-08-19T16:59:51.7392979Z You are in 'detached HEAD' state. You can look around, make experimental
2024-08-19T16:59:51.7393945Z changes and commit them, and you can discard any commits you make in this
2024-08-19T16:59:51.7394743Z state without impacting any branches by switching back to a branch.
2024-08-19T16:59:51.7395175Z 
2024-08-19T16:59:51.7395506Z If you want to create a new branch to retain commits you create, you may
2024-08-19T16:59:51.7396666Z do so (now or later) by using -c with the switch command. Example:
2024-08-19T16:59:51.7397401Z 
2024-08-19T16:59:51.7397780Z   git switch -c <new-branch-name>
2024-08-19T16:59:51.7398258Z 
2024-08-19T16:59:51.7398569Z Or undo this operation with:
2024-08-19T16:59:51.7399119Z 
2024-08-19T16:59:51.7399370Z   git switch -
2024-08-19T16:59:51.7399747Z 
2024-08-19T16:59:51.7400265Z Turn off this advice by setting config variable advice.detachedHead to false
2024-08-19T16:59:51.7401042Z 
2024-08-19T16:59:51.7401826Z HEAD is now at d33b7a9 Merge 25f22c8015ae62c58c5e0335e4340f6cde1f1fc3 into b1893c7f8dcd760854e7e49cb32f58e8ecc12142
2024-08-19T16:59:51.7403937Z ##[debug]0
2024-08-19T16:59:51.7404800Z ##[debug]
2024-08-19T16:59:51.7405816Z ::endgroup::
2024-08-19T16:59:51.7406391Z ##[endgroup]
2024-08-19T16:59:51.7436900Z ##[debug]0
2024-08-19T16:59:51.7438415Z ##[debug]commit d33b7a970b92141dfe40076cba2f18ac3cb4966d
2024-08-19T16:59:51.7439519Z ##[debug]Author: Kyle Altendorf <[email protected]>
2024-08-19T16:59:51.7440365Z ##[debug]Date:   Mon Aug 19 12:54:42 2024 -0400
2024-08-19T16:59:51.7441178Z ##[debug]
2024-08-19T16:59:51.7442292Z ##[debug]    Merge 25f22c8015ae62c58c5e0335e4340f6cde1f1fc3 into b1893c7f8dcd760854e7e49cb32f58e8ecc12142
2024-08-19T16:59:51.7443386Z ##[debug]
2024-08-19T16:59:51.7444112Z [command]/usr/bin/git log -1 --format='%H'
2024-08-19T16:59:51.7465425Z 'd33b7a970b92141dfe40076cba2f18ac3cb4966d'
2024-08-19T16:59:51.7470481Z ##[debug]0
2024-08-19T16:59:51.7471720Z ##[debug]'d33b7a970b92141dfe40076cba2f18ac3cb4966d'
2024-08-19T16:59:51.7472454Z ##[debug]
2024-08-19T16:59:51.7474842Z ##[debug]Unsetting HOME override
2024-08-19T16:59:51.7491661Z ::remove-matcher owner=checkout-git::
2024-08-19T16:59:51.7517541Z ##[debug]Removed matchers: 'checkout-git'
2024-08-19T16:59:51.7561223Z ##[debug]Node Action run completed with exit code 0
2024-08-19T16:59:51.7674581Z ##[debug]Save intra-action state isPost = true
2024-08-19T16:59:51.7675358Z ##[debug]Save intra-action state setSafeDirectory = true
2024-08-19T16:59:51.7676146Z ##[debug]Save intra-action state repositoryPath = /home/runner/work/chia-blockchain/chia-blockchain
2024-08-19T16:59:51.7686047Z ##[debug]Finishing: Checkout Repository
2024-08-19T16:59:51.7698189Z ##[debug]Evaluating condition for step: 'Dependency Review'
2024-08-19T16:59:51.7701634Z ##[debug]Evaluating: success()
2024-08-19T16:59:51.7702362Z ##[debug]Evaluating success:
2024-08-19T16:59:51.7702953Z ##[debug]=> true
2024-08-19T16:59:51.7703685Z ##[debug]Result: true
2024-08-19T16:59:51.7704552Z ##[debug]Starting: Dependency Review
2024-08-19T16:59:51.7755214Z ##[debug]Loading inputs
2024-08-19T16:59:51.7785801Z ##[debug]Evaluating: github.token
2024-08-19T16:59:51.7786277Z ##[debug]Evaluating Index:
2024-08-19T16:59:51.7786820Z ##[debug]..Evaluating github:
2024-08-19T16:59:51.7787211Z ##[debug]..=> Object
2024-08-19T16:59:51.7787576Z ##[debug]..Evaluating String:
2024-08-19T16:59:51.7788062Z ##[debug]..=> 'token'
2024-08-19T16:59:51.7788725Z ##[debug]=> '***'
2024-08-19T16:59:51.7789265Z ##[debug]Result: '***'
2024-08-19T16:59:51.7800340Z ##[debug]Loading env
2024-08-19T16:59:51.7806901Z ##[group]Run actions/dependency-review-action@v4
2024-08-19T16:59:51.7807351Z with:
2024-08-19T16:59:51.7807960Z   allow-dependencies-licenses: pkg:pypi/pylint, pkg:pypi/pyinstaller
2024-08-19T16:59:51.7809111Z   deny-licenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-1.0-or-later, AGPL-3.0-or-later, GPL-1.0-only, GPL-1.0-or-later, GPL-2.0-only, GPL-2.0-or-later, GPL-3.0-only, GPL-3.0-or-later
2024-08-19T16:59:51.7810325Z   repo-token: ***
2024-08-19T16:59:51.7810659Z ##[endgroup]
2024-08-19T16:59:53.0989759Z ##[debug]Filtered Changes: [{"change_type":"added","manifest":"poetry.lock","ecosystem":"pip","name":"pywin32-ctypes","version":"0.2.3","package_url":"pkg:pypi/[email protected]","license":"BSD-3-Clause AND NOASSERTION","source_repository_url":"https://github.com/enthought/pywin32-ctypes","scope":"runtime","vulnerabilities":[]},{"change_type":"removed","manifest":"poetry.lock","ecosystem":"pip","name":"pywin32-ctypes","version":"0.2.2","package_url":"pkg:pypi/[email protected]","license":"BSD-3-Clause","source_repository_url":"https://github.com/enthought/pywin32-ctypes","scope":"runtime","vulnerabilities":[]}]
2024-08-19T16:59:53.0995843Z ##[debug]Config Deny Packages: {"fail_on_severity":"low","fail_on_scopes":["runtime"],"deny_licenses":["AGPL-1.0-only","AGPL-1.0-or-later","AGPL-1.0-or-later","AGPL-3.0-or-later","GPL-1.0-only","GPL-1.0-or-later","GPL-2.0-only","GPL-2.0-or-later","GPL-3.0-only","GPL-3.0-or-later"],"allow_dependencies_licenses":["pkg:pypi/pylint","pkg:pypi/pyinstaller"],"allow_ghsas":[],"deny_packages":[],"deny_groups":[],"license_check":true,"vulnerability_check":true,"retry_on_snapshot_warnings":false,"retry_on_snapshot_warnings_timeout":120,"show_openssf_scorecard":true,"warn_on_openssf_scorecard_level":3,"comment_summary_in_pr":"never","warn_only":false}
2024-08-19T16:59:53.0998460Z Dependency review did not detect any denied packages
2024-08-19T16:59:53.4468363Z ::group::Vulnerabilities
2024-08-19T16:59:53.4469218Z ##[group]Vulnerabilities
2024-08-19T16:59:53.4470535Z Dependency review did not detect any vulnerable packages with severity level "low" or higher.
2024-08-19T16:59:53.4473638Z ##[debug]found 0 unknown licenses
2024-08-19T16:59:53.4475044Z ##[debug]1 licenses could not be validated
2024-08-19T16:59:53.4476304Z ::group::Licenses
2024-08-19T16:59:53.4476855Z ##[group]Licenses
2024-08-19T16:59:53.4509288Z ##[warning]
The validity of the licenses of the dependencies below could not be determined. Ensure that they are valid SPDX licenses:
2024-08-19T16:59:53.4517549Z �[1mpoetry.lock » [email protected]�[22m – License: �[31mBSD-3-Clause AND NOASSERTION�[39m
2024-08-19T16:59:53.4520422Z ##[error]Dependency review could not detect the validity of all licenses.
2024-08-19T16:59:53.4521878Z ::group::Denied
2024-08-19T16:59:53.4522224Z ##[group]Denied
2024-08-19T16:59:53.4522842Z ##[debug]Adding scorecard to summary
2024-08-19T16:59:53.4523488Z ##[debug]Overall score 4.2
2024-08-19T16:59:53.4524102Z ::group::Scorecard
2024-08-19T16:59:53.4524415Z ##[group]Scorecard
2024-08-19T16:59:53.4524899Z pip/pywin32-ctypes: OpenSSF Scorecard Score: 4.2
2024-08-19T16:59:53.4525916Z ::group::Dependency Changes
2024-08-19T16:59:53.4526309Z ##[group]Dependency Changes
2024-08-19T16:59:53.4526688Z File: �[1mpoetry.lock�[22m
2024-08-19T16:59:53.4527318Z �[32m+ [email protected]�[39m
2024-08-19T16:59:53.4527744Z �[31m- [email protected]�[39m
2024-08-19T16:59:53.4528419Z ::endgroup::
2024-08-19T16:59:53.4528692Z ##[endgroup]
2024-08-19T16:59:53.4529199Z ::endgroup::
2024-08-19T16:59:53.4529650Z ##[endgroup]
2024-08-19T16:59:53.4530150Z ::endgroup::
2024-08-19T16:59:53.4530514Z ##[endgroup]
2024-08-19T16:59:53.4531002Z ::endgroup::
2024-08-19T16:59:53.4531277Z ##[endgroup]
2024-08-19T16:59:53.4531826Z ::endgroup::
2024-08-19T16:59:53.4532138Z ##[endgroup]
2024-08-19T16:59:53.4570679Z ##[debug]Node Action run completed with exit code 1
2024-08-19T16:59:53.4599509Z ##[debug]Set output vulnerable-changes = []
2024-08-19T16:59:53.4601392Z ##[debug]Set output invalid-license-changes = {"unlicensed":[],"unresolved":[{"change_type":"added","manifest":"poetry.lock","ecosystem":"pip","name":"pywin32-ctypes","version":"0.2.3","package_url":"pkg:pypi/[email protected]","license":"BSD-3-Clause AND NOASSERTION","source_repository_url":"https://github.com/enthought/pywin32-ctypes","scope":"runtime","vulnerabilities":[]}],"forbidden":[]}
2024-08-19T16:59:53.4603253Z ##[debug]Set output denied-changes = []
2024-08-19T16:59:53.4605894Z ##[debug]Set output dependency-changes = [{"change_type":"added","manifest":"poetry.lock","ecosystem":"pip","name":"pywin32-ctypes","version":"0.2.3","package_url":"pkg:pypi/[email protected]","license":"BSD-3-Clause AND NOASSERTION","source_repository_url":"https://github.com/enthought/pywin32-ctypes","scope":"runtime","vulnerabilities":[]},{"change_type":"removed","manifest":"poetry.lock","ecosystem":"pip","name":"pywin32-ctypes","version":"0.2.2","package_url":"pkg:pypi/[email protected]","license":"BSD-3-Clause","source_repository_url":"https://github.com/enthought/pywin32-ctypes","scope":"runtime","vulnerabilities":[]}]
2024-08-19T16:59:53.4608803Z ##[debug]Set output comment-content = <h1>Dependency Review</h1>
2024-08-19T16:59:53.4610094Z ##[debug]The following issues were found:<ul><li>✅ 0 vulnerable package(s)</li><li>✅ 0 package(s) with incompatible licenses</li><li>❌ 1 package(s) with invalid SPDX license definitions</li><li>✅ 0 package(s) with unknown licenses.</li></ul>
2024-08-19T16:59:53.4611362Z ##[debug]See the Details below.<h2>License Issues</h2>
2024-08-19T16:59:53.4611831Z ##[debug]<h4><em>poetry.lock</em></h4>
2024-08-19T16:59:53.4613086Z ##[debug]<table><tr><td>Package</td><td>Version</td><td>License</td><td>Issue Type</td></tr><tr><td><a href="https://github.com/enthought/pywin32-ctypes">pywin32-ctypes</a></td><td>0.2.3</td><td>BSD-3-Clause AND NOASSERTION</td><td>Invalid SPDX License</td></tr></table>
2024-08-19T16:59:53.4615198Z ##[debug]<blockquote><strong>Denied Licenses</strong>: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-1.0-or-later, AGPL-3.0-or-later, GPL-1.0-only, GPL-1.0-or-later, GPL-2.0-only, GPL-2.0-or-later, GPL-3.0-only, GPL-3.0-or-later</blockquote>
2024-08-19T16:59:53.4616668Z ##[debug]<blockquote><strong>Excluded from license check</strong>: pkg:pypi/pylint, pkg:pypi/pyinstaller</blockquote>
2024-08-19T16:59:53.4617385Z ##[debug]<h2>OpenSSF Scorecard</h2>
2024-08-19T16:59:53.4618000Z ##[debug]<table><tr><th>Package</th><th>Version</th><th>Score</th><th>Details</th></tr>
2024-08-19T16:59:53.4618870Z ##[debug]<tr><td><a href="https://github.com/enthought/pywin32-ctypes"> pip/pywin32-ctypes </a></td><td>0.2.3</td>
2024-08-19T16:59:53.4626690Z ##[debug]      <td>:green_circle: 4.2</td><td><details><summary>Details</summary><table><tr><th>Check</th><th>Score</th><th>Reason</th></tr><tr><td>Code-Review</td><td>:warning: 0</td><td>Found 0/30 approved changesets -- score normalized to 0</td></tr><tr><td>Maintained</td><td>:green_circle: 4</td><td>3 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 4</td></tr><tr><td>CII-Best-Practices</td><td>:warning: 0</td><td>no effort to earn an OpenSSF best practices badge detected</td></tr><tr><td>License</td><td>:green_circle: 9</td><td>license file detected</td></tr><tr><td>Signed-Releases</td><td>:warning: -1</td><td>no releases found</td></tr><tr><td>Dangerous-Workflow</td><td>:green_circle: 10</td><td>no dangerous workflow patterns detected</td></tr><tr><td>Token-Permissions</td><td>:warning: 0</td><td>detected GitHub workflow tokens with excessive permissions</td></tr><tr><td>Binary-Artifacts</td><td>:green_circle: 10</td><td>no binaries found in the repo</td></tr><tr><td>Packaging</td><td>:warning: -1</td><td>packaging workflow not detected</td></tr><tr><td>Pinned-Dependencies</td><td>:warning: 0</td><td>dependency not pinned by hash detected -- score normalized to 0</td></tr><tr><td>Branch-Protection</td><td>:warning: -1</td><td>internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration</td></tr><tr><td>Security-Policy</td><td>:warning: 0</td><td>security policy file not detected</td></tr><tr><td>Vulnerabilities</td><td>:green_circle: 10</td><td>0 existing vulnerabilities detected</td></tr><tr><td>Fuzzing</td><td>:warning: 0</td><td>project is not fuzzed</td></tr><tr><td>SAST</td><td>:warning: 0</td><td>SAST tool is not run on all commits -- score normalized to 0</td></tr></table></details></td></tr>
2024-08-19T16:59:53.4633833Z ##[debug]</table><h2>Scanned Manifest Files</h2>
2024-08-19T16:59:53.4634662Z ##[debug]<details><summary>poetry.lock</summary><ul><li>[email protected]</li><li>[email protected]</li></ul></details>
2024-08-19T16:59:53.4635370Z ##[debug]
2024-08-19T16:59:53.4637932Z ##[debug]Finishing: Dependency Review
2024-08-19T16:59:53.4656855Z ##[debug]Evaluating condition for step: 'Post Checkout Repository'
2024-08-19T16:59:53.4659281Z ##[debug]Evaluating: always()
2024-08-19T16:59:53.4660191Z ##[debug]Evaluating always:
2024-08-19T16:59:53.4661243Z ##[debug]=> true
2024-08-19T16:59:53.4662019Z ##[debug]Result: true
2024-08-19T16:59:53.4662941Z ##[debug]Starting: Post Checkout Repository
2024-08-19T16:59:53.4705092Z ##[debug]Loading inputs
2024-08-19T16:59:53.4706308Z ##[debug]Evaluating: github.repository
2024-08-19T16:59:53.4706728Z ##[debug]Evaluating Index:
2024-08-19T16:59:53.4707115Z ##[debug]..Evaluating github:
2024-08-19T16:59:53.4707616Z ##[debug]..=> Object
2024-08-19T16:59:53.4707984Z ##[debug]..Evaluating String:
2024-08-19T16:59:53.4708336Z ##[debug]..=> 'repository'
2024-08-19T16:59:53.4708878Z ##[debug]=> 'Chia-Network/chia-blockchain'
2024-08-19T16:59:53.4709369Z ##[debug]Result: 'Chia-Network/chia-blockchain'
2024-08-19T16:59:53.4711461Z ##[debug]Evaluating: github.token
2024-08-19T16:59:53.4712119Z ##[debug]Evaluating Index:
2024-08-19T16:59:53.4712474Z ##[debug]..Evaluating github:
2024-08-19T16:59:53.4712870Z ##[debug]..=> Object
2024-08-19T16:59:53.4713312Z ##[debug]..Evaluating String:
2024-08-19T16:59:53.4713694Z ##[debug]..=> 'token'
2024-08-19T16:59:53.4714290Z ##[debug]=> '***'
2024-08-19T16:59:53.4714857Z ##[debug]Result: '***'
2024-08-19T16:59:53.4726635Z ##[debug]Loading env
2024-08-19T16:59:53.4732531Z Post job cleanup.
2024-08-19T16:59:53.5625479Z ##[debug]Getting git version
2024-08-19T16:59:53.5639087Z [command]/usr/bin/git version
2024-08-19T16:59:53.5673957Z git version 2.46.0
2024-08-19T16:59:53.5695729Z ##[debug]0
2024-08-19T16:59:53.5696643Z ##[debug]git version 2.46.0
2024-08-19T16:59:53.5697489Z ##[debug]
2024-08-19T16:59:53.5698749Z ##[debug]Set git useragent to: git/2.46.0 (github-actions-checkout)
2024-08-19T16:59:53.5701162Z ::add-mask::***
2024-08-19T16:59:53.5721221Z Temporarily overriding HOME='/home/runner/work/_temp/c366a817-df30-4681-bcca-c9e44c2a4bac' before making global git config changes
2024-08-19T16:59:53.5722446Z Adding repository directory to the temporary git global config as a safe directory
2024-08-19T16:59:53.5726290Z [command]/usr/bin/git config --global --add safe.directory /home/runner/work/chia-blockchain/chia-blockchain
2024-08-19T16:59:53.5752946Z ##[debug]0
2024-08-19T16:59:53.5753896Z ##[debug]
2024-08-19T16:59:53.5759769Z [command]/usr/bin/git config --local --name-only --get-regexp core\.sshCommand
2024-08-19T16:59:53.5785924Z ##[debug]1
2024-08-19T16:59:53.5786740Z ##[debug]
2024-08-19T16:59:53.5790265Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'core\.sshCommand' && git config --local --unset-all 'core.sshCommand' || :"
2024-08-19T16:59:53.6016479Z ##[debug]0
2024-08-19T16:59:53.6022416Z ##[debug]
2024-08-19T16:59:53.6023239Z [command]/usr/bin/git config --local --name-only --get-regexp http\.https\:\/\/github\.com\/\.extraheader
2024-08-19T16:59:53.6042602Z http.https://github.com/.extraheader
2024-08-19T16:59:53.6049058Z ##[debug]0
2024-08-19T16:59:53.6050025Z ##[debug]http.https://github.com/.extraheader
2024-08-19T16:59:53.6050893Z ##[debug]
2024-08-19T16:59:53.6054538Z [command]/usr/bin/git config --local --unset-all http.https://github.com/.extraheader
2024-08-19T16:59:53.6082446Z ##[debug]0
2024-08-19T16:59:53.6083318Z ##[debug]
2024-08-19T16:59:53.6087061Z [command]/usr/bin/git submodule foreach --recursive sh -c "git config --local --name-only --get-regexp 'http\.https\:\/\/github\.com\/\.extraheader' && git config --local --unset-all 'http.https://github.com/.extraheader' || :"
2024-08-19T16:59:53.6309168Z ##[debug]0
2024-08-19T16:59:53.6309995Z ##[debug]
2024-08-19T16:59:53.6311057Z ##[debug]Unsetting HOME override
2024-08-19T16:59:53.6374621Z ##[debug]Node Action run completed with exit code 0
2024-08-19T16:59:53.6377618Z ##[debug]Finishing: Post Checkout Repository
2024-08-19T16:59:53.6511474Z ##[debug]Starting: Complete job
2024-08-19T16:59:53.6513540Z Uploading runner diagnostic logs
2024-08-19T16:59:53.6559806Z ##[debug]Starting diagnostic file upload.
2024-08-19T16:59:53.6560429Z ##[debug]Setting up diagnostic log folders.
2024-08-19T16:59:53.6563171Z ##[debug]Creating diagnostic log files folder.
2024-08-19T16:59:53.6581420Z ##[debug]Copying 1 worker diagnostic logs.
2024-08-19T16:59:53.6598689Z ##[debug]Copying 1 runner diagnostic logs.
2024-08-19T16:59:53.6600274Z ##[debug]Zipping diagnostic files.
2024-08-19T16:59:53.6662132Z ##[debug]Uploading diagnostic metadata file.
2024-08-19T16:59:53.6686453Z ##[debug]Diagnostic file upload complete.
2024-08-19T16:59:53.6687373Z Completed runner diagnostic log upload
2024-08-19T16:59:53.6687853Z Cleaning up orphan processes
2024-08-19T16:59:53.7032961Z ##[debug]Finishing: Complete job
2024-08-19T16:59:53.7144372Z ##[debug]Finishing: dependency-review

workflow source

# Managed by repo-content-updater
# Dependency Review Action
#
# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
#
# Source repository: https://github.com/actions/dependency-review-action
# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
name: "🚨 Dependency Review"
on: [pull_request]

permissions:
  contents: read

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: "Checkout Repository"
        uses: actions/checkout@v4

      - name: "Dependency Review"
        uses: actions/dependency-review-action@v4
        with:
          allow-dependencies-licenses: pkg:pypi/pylint, pkg:pypi/pyinstaller
          deny-licenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-1.0-or-later, AGPL-3.0-or-later, GPL-1.0-only, GPL-1.0-or-later, GPL-2.0-only, GPL-2.0-or-later, GPL-3.0-only, GPL-3.0-or-later

##[debug]Filtered Changes: [{"change_type":"added","manifest":"poetry.lock","ecosystem":"pip","name":"pywin32-ctypes","version":"0.2.3","package_url":"pkg:pypi/[email protected]","license":"BSD-3-Clause AND NOASSERTION","source_repository_url":"https://github.com/enthought/pywin32-ctypes","scope":"runtime","vulnerabilities":[]},{"change_type":"removed","manifest":"poetry.lock","ecosystem":"pip","name":"pywin32-ctypes","version":"0.2.2","package_url":"pkg:pypi/[email protected]","license":"BSD-3-Clause","source_repository_url":"https://github.com/enthought/pywin32-ctypes","scope":"runtime","vulnerabilities":[]}]

Expected behavior
No change to the license is noted and it is accepted.

Screenshots
If applicable, add screenshots to help explain your problem.

Action version
What version of the action are you using in your workflow?

latest v4

[elrayle]

@altendky 👋 I wanted to give you an update. We are looking into the license data and process to understand why you are seeing the AND NOASSERTION. I, or someone else on the team, will give you an update once I've looked at the process that brought this in.

[dolorsfg]

Similar issue here for another dependency:
The validity of the licenses of the dependencies below could not be determined. Ensure that they are valid SPDX licenses:
pom.xml » org.springframework.data:[email protected] – License: Apache-2.0 AND NOASSERTION
Error: Dependency review could not detect the validity of all licenses.

https://github.com/dolorsfg/proves/actions/runs/10561223320

[liedQM]

@elrayle do you have any update?

We see the same issue for jetty dependencies fetched over maven:

org.eclipse.jetty:jetty-http	9.4.56.v20240826	Apache-2.0 AND EPL-1.0 AND EPL-2.0 AND NOASSERTION	Invalid SPDX License
org.eclipse.jetty.websocket:websocket-api	9.4.56.v20240826	Apache-2.0 AND EPL-1.0 AND EPL-2.0 AND NOASSERTION	Invalid SPDX License
org.eclipse.jetty.websocket:websocket-client	9.4.56.v20240826	Apache-2.0 AND EPL-1.0 AND EPL-2.0 AND NOASSERTION	Invalid SPDX License
org.eclipse.jetty.websocket:websocket-common	9.4.56.v20240826	Apache-2.0 AND EPL-1.0 AND EPL-2.0 AND NOASSERTION	Invalid SPDX License
org.eclipse.jetty.websocket:websocket-server	9.4.56.v20240826	Apache-2.0 AND EPL-1.0 AND EPL-2.0 AND NOASSERTION	Invalid SPDX License
org.eclipse.jetty.websocket:websocket-servlet	9.4.56.v20240826	Apache-2.0 AND EPL-1.0 AND EPL-2.0 AND NOASSERTION	Invalid SPDX License
org.eclipse.jetty:jetty-client	9.4.56.v20240826	Apache-2.0 AND EPL-1.0 AND EPL-2.0 AND NOASSERTION	Invalid SPDX License
org.eclipse.jetty:jetty-io	9.4.56.v20240826	Apache-2.0 AND EPL-1.0 AND EPL-2.0 AND NOASSERTION	Invalid SPDX License
org.eclipse.jetty:jetty-security	9.4.56.v20240826	Apache-2.0 AND EPL-1.0 AND EPL-2.0 AND NOASSERTION	Invalid SPDX License
org.eclipse.jetty:jetty-servlet	9.4.56.v20240826	Apache-2.0 AND EPL-1.0 AND EPL-2.0 AND NOASSERTION	Invalid SPDX License
org.eclipse.jetty:jetty-servlets	9.4.56.v20240826	Apache-2.0 AND EPL-1.0 AND EPL-2.0 AND NOASSERTION	Invalid SPDX License
org.eclipse.jetty:jetty-util	9.4.56.v20240826	Apache-2.0 AND EPL-1.0 AND EPL-2.0 AND NOASSERTION	Invalid SPDX License
org.eclipse.jetty:jetty-util-ajax	9.4.56.v20240826	Apache-2.0 AND EPL-1.0 AND EPL-2.0 AND NOASSERTION	Invalid SPDX License