You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What would you like to be added:
The ability to read entire file contents (or just the top X bytes of the file) and classify the contents as a particular license (e.g. MIT, Apache 2.0, etc). This is a larger addition than #565 (which just covers the SPDX identifiers) but should be thought about together. License content discovered could be persisted optionally in the final SBOM (supported in SPDX).
Why is this needed:
Keeping a curated list of licenses for your dependencies is a common use case for SBOMs.
As a start this could key off of file extensions to filter down to source files (.py, .go, .c, etc) or by filename (e.g. "license", "LICENSE", "license..*, etc") to keep the search scope reasonable.
This could be implemented as it's own cataloger that is only responsible for finding licenses in files. This would make the configuration easily accessible, for example:
license:
cataloger:
enabled: truescope: "squashed"# keep the license content in the final SBOMcapture-content: true# only search in the following files (by glob)globs:
- license*
- License*- *.c- *.go- *.py- *.ts- *.tsx...
More thought is needed as to how this is organized in the Syft JSON output. That is, does this show up as snippets under packages? Snippets under files? Maybe they get their own section? How does this relate to the licenses field under a package? (will it change? relate to another field? or something else?).
The text was updated successfully, but these errors were encountered:
Just a heads up on this issue -- we are adding a JVM cataloger in #3188, which could leverage this feature to catalog the <JVMDIR>/legal/**/LICENSE and attach results to the package directly.
What would you like to be added:
The ability to read entire file contents (or just the top X bytes of the file) and classify the contents as a particular license (e.g. MIT, Apache 2.0, etc). This is a larger addition than #565 (which just covers the SPDX identifiers) but should be thought about together. License content discovered could be persisted optionally in the final SBOM (supported in SPDX).
Why is this needed:
Keeping a curated list of licenses for your dependencies is a common use case for SBOMs.
Additional context:
Consider using https://github.com/google/licenseclassifier for the heavy lifting.
As a start this could key off of file extensions to filter down to source files (.py, .go, .c, etc) or by filename (e.g. "license", "LICENSE", "license..*, etc") to keep the search scope reasonable.
This could be implemented as it's own cataloger that is only responsible for finding licenses in files. This would make the configuration easily accessible, for example:
More thought is needed as to how this is organized in the Syft JSON output. That is, does this show up as snippets under packages? Snippets under files? Maybe they get their own section? How does this relate to the
licenses
field under a package? (will it change? relate to another field? or something else?).The text was updated successfully, but these errors were encountered: