trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 3 weeks ago verified publisher icon aquasecurity

enhancement(license): improve work with custom classification of licenses from config file

Open DmitriyLewen opened this issue 7 months ago • 5 comments

Description

Trivy supports to set custom classifications using config file - https://trivy.dev/latest/docs/scanner/license/#custom-classification

But there are 2 problems with that:

1. Trivy checks licenses after normalize.

So it can confusing (user use full license name). Also users can't split some licenses (e.g. LGPL-2.0-only and LGPL-2.0-or-later, because config file should contains license without suffix).

Solution

We should compare full name + normilized name here: https://github.com/aquasecurity/trivy/blob/2d30dd72414be1ef94bc9d92cb655e9b5e72e91d/pkg/licensing/scanner.go#L34-L38

2. Trivy doesn't compare text licenses.

User may want to categorize text licenses.

Solution

We need to check catigories for text licenses. There are 3 possbile ways:

  • compare license as text (can be found in json file)
  • compare license after normilize (CUSTOM License: ...)
  • compare both cases

Discussed in https://github.com/aquasecurity/trivy/discussions/8847

DmitriyLewen avatar May 12 '25 10:05 DmitriyLewen

So it can confusing (user use full license name).

Can you elaborate on that? Any examples?

knqyf263 avatar May 19 '25 06:05 knqyf263

You can take a look config file of the user from #8847

He uses full license name and license texts:

license:
    forbidden:
        - AGPL-1.0-only
        - AGPL-1.0-or-later
        - AGPL-3.0-only
        - AGPL-3.0-or-later
...
        - "CUSTOM License: * Permission to..."

DmitriyLewen avatar May 19 '25 07:05 DmitriyLewen

I was under the impression that after our license normalization process, the license string would be something like "AGPL-1.0-only". Could you remind me why it doesn't match?

knqyf263 avatar May 19 '25 07:05 knqyf263

We use license name only (for single expressions). I guess to avoid inserting same license with different suffixes in mapping.

https://github.com/aquasecurity/trivy/blob/2d30dd72414be1ef94bc9d92cb655e9b5e72e91d/pkg/licensing/scanner.go#L28-L38

So in this case mapping contains AGPL-1.0-only (from config file), but we check AGPL-1.0

DmitriyLewen avatar May 19 '25 07:05 DmitriyLewen

Thanks for explaining. I get the point now. And I found when it was implemented. https://github.com/aquasecurity/trivy/commit/6472e3c9da2a8e7ba41598a45c80df8f18e57d4c#diff-2b2300532f17072a36696ba8b5db5a44c7dc1f3cd210a844acb2baee75317589R26

I left a comment. https://github.com/aquasecurity/trivy/pull/8861#pullrequestreview-2849790755

knqyf263 avatar May 19 '25 07:05 knqyf263