Handling invalid licenses
|
Team In generating SBOMs, I am encountering a lot of issues with licence information obtained from either ecosystem meta data or actual source files most do not appear to be using SPDX license identifiers. If I report the actual licence text then the generated SBOM is invalid; however reporting it as NOSASSERTION or NONE doesn’t seem correct because the author has made some attempt at identifying the license albeit incorrectly. What is the correct behaviour when an invalid license is detected? Regards Anthony Harrison |
|
|
|
Keith Zantow
I can only speak to what my understanding of SPDX 2.x is. However, before getting to that, I would ask exactly what you mean by "invalid licenses"? Are these files that have some license text that a tool cannot understand? Are these files that declare licenses something like "WTFPL+" that doesn't match the official SPDX license list? In SPDX 2.x, there is an "OtherLicenses" section which is used for (as I understand it) licenses that are not "official SPDX licenses", where you can include text and other information and reference these from other SPDX elements. If a tool encounters what it believes to be license information, but it isn't an official SPDX license value, these can be included in the "OtherLicenses" section. Does this answer your question? Cheers, -Keith On Thu, Mar 16, 2023 at 2:41 PM Anthony Harrison <anthony.p.harrison@...> wrote:
|
|
|
|
Philippe Ombredanne
Anthony:
On Thu, Mar 16, 2023 at 7:41 PM Anthony Harrison <anthony.p.harrison@...> wrote: In generating SBOMs, I am encountering a lot of issues with licence information obtained from either ecosystem meta data or actual source files most do not appear to be using SPDX license identifiers. If I report the actual licence text then the generated SBOM is invalid; however reporting it as NOSASSERTION or NONE doesn’t seem correct because the author has made some attempt at identifying the license albeit incorrectly.Can you share some concrete examples? -- Cordially Philippe Ombredanne +1 650 799 0949 | pombredanne@... AboutCode - Open source for open source - https://www.aboutcode.org |
|
|
|
Gary O'Neall
Hi Anthony,
My suggestion is to report the license as stated in the Declared License property, even though invalid, and use either NOASSERTION (or better yet) the correct license in the Concluded License field. I would also recommend adding a comment in the Comments on License Field explaining the error.
Hope that helps,
From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Anthony Harrison
Sent: Thursday, March 16, 2023 11:41 AM To: Spdx-tech@... Subject: [spdx-tech] Handling invalid licenses
Team
In generating SBOMs, I am encountering a lot of issues with licence information obtained from either ecosystem meta data or actual source files most do not appear to be using SPDX license identifiers. If I report the actual licence text then the generated SBOM is invalid; however reporting it as NOSASSERTION or NONE doesn’t seem correct because the author has made some attempt at identifying the license albeit incorrectly.
What is the correct behaviour when an invalid license is detected?
Regards
Anthony Harrison |
|
|