You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When trivy's license scan encounters an operator, it will mark it as non-standard with severity unknown. For example if a SPDX license expression is "Apache-2.0 OR MIT". This package should be fine, since it is licensed under two very well known, standard and permissive licenses.
Dual licenses is very common in some ecosystems, for example Apache2/MIT dual license is the default in the rust ecosystem.
It would be useful and straight forward to implement if the tool reported back with the floor of severity of all OR'd licenses and the ceiling of the severity of all AND'd licenses. For a first pass we could even leave out the "with" operator since it is less common.
kind/featureCategorizes issue or PR as related to a new feature.scan/licenseIssues relating to license scanning
1 participant
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Description
When trivy's license scan encounters an operator, it will mark it as non-standard with severity unknown. For example if a SPDX license expression is "Apache-2.0 OR MIT". This package should be fine, since it is licensed under two very well known, standard and permissive licenses.
Dual licenses is very common in some ecosystems, for example Apache2/MIT dual license is the default in the rust ecosystem.
Details about the expressions can be found here: https://spdx.github.io/spdx-spec/v2.2.2/SPDX-license-expressions/
It would be useful and straight forward to implement if the tool reported back with the floor of severity of all OR'd licenses and the ceiling of the severity of all AND'd licenses. For a first pass we could even leave out the "with" operator since it is less common.
I've seen this behavoir for dual licensed packages from both https://github.com/CycloneDX/cyclonedx-node-npm and https://github.com/CycloneDX/cyclonedx-rust-cargo
Target
SBOM
Scanner
License
Beta Was this translation helpful? Give feedback.
All reactions