trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 3 weeks ago verified publisher icon aquasecurity

fix(spdx): use `hasExtractedLicensingInfos` for licenses not in the SPDX license list

Open DmitriyLewen opened this issue 1 year ago • 0 comments

Description

We can only use licenses from SPDX license list in licenseConcluded and licenseDeclared fields. For other licenses, we should create new LicenseRef-* component (see hasExtractedLicensingInfos field - https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/#d46-license-expressions-in-rdf) and use this component in licenseConcluded and licenseDeclared See more details here - https://github.com/aquasecurity/trivy/discussions/7716

Discussed in https://github.com/aquasecurity/trivy/discussions/7716

DmitriyLewen avatar Oct 14 '24 06:10 DmitriyLewen