License
field in Python package metadata could be name or full text
#2969
Labels
License
field in Python package metadata could be name or full text
#2969
What would you like to be added:
The python-installed-package-cataloger cataloger could employ a heuristic to determine whether the
License
field in package metadata contains a license descriptor or the full license text.For example, if a certain number of newlines and text length are exceeded, the value could be considered the full text.
When it's determined to be the full text, it should be added as such to the SBOM. In CycloneDX, that means creating a license object such as:
Why is this needed:
The
License
field isn't clearly defined. While in my experience, most packages just put down a license name or even SPDX id, it is not uncommon to find the full text in there.For example, pandas uses it this way.
Additional context:
This would fit well with #656. If a full text is identified, it could immediately be classified.
License
field might be deprecated if PEP-639 get's approved. Still, even then I believe this issue will stay relevant for years to come.The text was updated successfully, but these errors were encountered: