trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 1 month ago verified publisher icon aquasecurity

feat(license): use separate SPDX ids to ignore SPDX expressions

Open DmitriyLewen opened this issue 6 months ago • 0 comments

Description

Trivy currently ignores licenses only by full compliance. e.g. for LGPLv2+ and MIT you need to use LGPLv2+ and MIT (MIT and LGPLv2+ will not work).

Feature

Using license IDs to ignore SPDX expressions. This means that if the ignore list contains all license identifiers from an SPDX expression, Trivy should ignore that license. e.g. for LGPLv2+ and MIT you can add LGPLv2+ + MIT.

Required changes:

Changes can be add in this function: https://github.com/aquasecurity/trivy/blob/4cfb2a97b27923182ab45c178544542ec65981d4/pkg/result/ignore.go#L180-L182 Needed:

  • check that license is valid SPDX expression
  • split SPDX expression to SPDX IDs
  • use c.Licenses.Match for each SPDX IDs and for SDPX expression

Discussed in https://github.com/aquasecurity/trivy/discussions/9027

DmitriyLewen avatar Jun 18 '25 05:06 DmitriyLewen