go-licence-detector icon indicating copy to clipboard operation
go-licence-detector copied to clipboard
verified publisher icon elastic

MaybeList needs to be treated different than AllowList

Open simitt opened this issue 6 months ago • 2 comments

Problem Statement

The MaybeList is currently treated the same way as the AllowList, which makes little sense. The semantics of being in the MaybeList, mean that such a license cannot be generally allowed, but might be accepted under certain circumstances.

Goal

Licenses in the MaybeList should default to not being allowed and require specific exceptions for being allowed. This could be achieved by e.g. specifying which repositories with licenses from the MaybeList can safely be allowed.

Proposal

An additional field allowed: true|false could be added to the overrides.json. If a license matches a MaybeList, the license-detector should query for an entry in the overrides.json for the dependency that is analyzed. Only if that dependency is part of the overrides.json with the allowed: true, the maybe license is accepted for this particular dependency.

simitt avatar May 26 '25 11:05 simitt

@axw @christos68k curious to hear your thoughts on this.

simitt avatar May 26 '25 11:05 simitt

I agree, we should default to denying these and require explicit human intervention to approve.

Only question I have is how one would do that approval, and what might invalidate it. Is approving a dependency by module name good enough, or should it be by name & version? It likely also depends on how the dependency is being used, e.g. if it's used for build tooling, probably OK - if it's used as part of a product, probably not OK.

I guess we can start with an allowed: true|false as you said, and expand from there. Might also be worth requiring a note attribute to explain the approval.

axw avatar May 27 '25 04:05 axw