Replies: 1 comment
-
the current solution is exactly as it should be, per python packaging specs. see https://packaging.python.org/en/latest/specifications/core-metadata/#license python packages declare their licenses' information. This might be a complete license text, or any information that is to be interpreted by lawyers, including calling out a specific license by SPDX License ID.
How would a tool be able to legally alter the declared license in any way? see also: |
Beta Was this translation helpful? Give feedback.
-
Is your feature request related to a problem? Please describe.
I think the fix to #692 led to a regression in our license detection experience. With the latest cycloned-python many of our dependencies now have licenses that look like this:
{ "license": { "name": "declared license of 'package'", "text": { "content": "MIT License", "contentType": "text/plain" } } }My reading of #692 is that this is an issue with these packages not using this field correctly?
Describe the solution you'd like
Support libraries that use the field in this way, as there are a lot of them. Specifically, check if the declared license is a license name, and if it is, use it as the name (or better yet convert it to a license ID if it's an exact match).
Some example packages include: google, google-cloud, boto3, beautifulsoup4, pyarrow. There are many more.
Describe alternatives you've considered
Post-processing to make the same change on the sbom after cyclonedx-python has generated it.
Beta Was this translation helpful? Give feedback.
All reactions