-
Notifications
You must be signed in to change notification settings - Fork 587
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add support for licenses not found on list #1540
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @deitch -- thanks for submitting this PR! I think this is half of what needs to happen -- the LicenseRef-<id>
getting put in the appropriate license field. The other half is that we need to add these licenses with a matching LicenseRef-<id>
to the Other Licenses section so there is something to refer to -- this would need to be added to this struct in the OtherLicenses field
I was kind of wondering about that. Thanks for the pointer to the right struct. I saw that |
@deitch CycloneDX is easier -- we just need to include the name instead of ID. See the spec here, optionally including |
3c38d10
to
2cd9034
Compare
Ok, I think I got it, both for spdx and cyclonedx, but have a look. I updated tests so they handle the cases and pass, and I also ran some tests locally. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @deitch -- I think this is pretty close, just a few items I've noted
I think this may fix #933 as well. @deitch it also looks like the |
2cd9034
to
997222c
Compare
@deitch it looks like the last hold-up is the CycloneDX decoding noted above ☝️ -- I could help with this, if you like |
Signed-off-by: Avi Deitcher <avi@deitcher.net>
997222c
to
1d65eb4
Compare
I assume it has something to do with this assuming that it should be Yeah, fixing that gets the tests passing locally. I will push it out and see if CI is happy. |
That did it. |
Thanks much @deitch! This is a great addition! |
Excellent. Thanks for helping get it in. I am going to try and tackle a different issue soon with gopkg licenses. |
I will flag you on that issue, so I can try and submit for that as well. |
This did help @kzantow but then exposed the inability to handle |
Right -- properly parsing complex license expressions is not something Syft is doing today, I think it's okay to just include these as LicenseRefs for now (it's better than excluding them) |
But you wouldn't object to it doing so properly, would you? I am close to having a PR ready for it. |
Signed-off-by: Avi Deitcher <avi@deitcher.net>
Fixes #1529
As discussed with @kzantow , if a license identifier is not found on the official list, rather than returning
""
andfalse
, it createsLicenseRef-<id>
per the other licenses section of the spdx spec.Also adds handling an empty identifier, and adds tests.
The approach may need some tweaking, but it seems a simple enough solution.