Replies: 1 comment
-
|
It sounds reasonable. Created #8270. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Description
When trivy's license scan encounters an operator, it will mark it as non-standard with severity unknown. For example if a SPDX license expression is "Apache-2.0 OR MIT". This package should be fine, since it is licensed under two very well known, standard and permissive licenses.
Dual licenses is very common in some ecosystems, for example Apache2/MIT dual license is the default in the rust ecosystem.
Details about the expressions can be found here: https://spdx.github.io/spdx-spec/v2.2.2/SPDX-license-expressions/
It would be useful and straight forward to implement if the tool reported back with the floor of severity of all OR'd licenses and the ceiling of the severity of all AND'd licenses. For a first pass we could even leave out the "with" operator since it is less common.
I've seen this behavoir for dual licensed packages from both https://github.com/CycloneDX/cyclonedx-node-npm and https://github.com/CycloneDX/cyclonedx-rust-cargo
Target
SBOM
Scanner
License
Beta Was this translation helpful? Give feedback.
All reactions