anthonyharrison
Feature Request: License URL from product source
I noticed the new version has the SPDX short-form license and a url like so:
"id": "PSF-2.0",
"url": "https://opensource.org/licenses/Python-2.0"
I've been told by a few of our teams that they'd rather have a link to the license where it appears in the source for the component, rather than a central site with license texts. Apparently we've had some issues where the reported license doesn't match the one in the code, and one of our legal reps now requires everyone to dig up the source code license file to verify and validate.
Obviously this isn't your problem, since you don't have to work with a grumpy legal rep, but I figured I'd put it in as a feature request just in case you can come up with a genius way to make this an option in the future. (Since github has a standard location for licenses, it might be easy to find in some cases but likely not all.)
@terriko I just use the information from the SPDX license list to map the SPDX-ID to the url. I rely on the Python metadata from the module to indicate the license (there is some synonym matching done to resolve some mismatches e.g. allow Apache 2 and Apache-2.0 to be considered the same) but I don't read the source files.
However, if you run sbom4python from a directory where source files are available and include the --include-file option, the licenses in each file will be detected by reading the source files (it doesn't record the line numbers though). This should allow the easy detection of
- Files with no license id
- Files with differing licenses to the parent module
I typically use this in a Python virtual environment and run sbom4python from within the directory containing the installed modules (lib/
Does that help?
