Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support SPDX "user defined license reference" (aka LicenseRef) #157

Open
ma-ble opened this issue Nov 22, 2024 · 2 comments
Open

Support SPDX "user defined license reference" (aka LicenseRef) #157

ma-ble opened this issue Nov 22, 2024 · 2 comments
Labels
enhancement Feature ehnancements

Comments

@ma-ble
Copy link

ma-ble commented Nov 22, 2024
edited
Loading

What would you like to be added:

We are using a SPDX "user defined license references" (aka LicenseRef), which are not defined by a standard SPDX license identifier. When we let grant check these licenses, at the beginning we get the error message - "unable to get license by ID: LicenseRef-XXXX; no matching spdx id found sbom.json".

> grant check sbom.json 
[0000] ERROR unable to get license by ID: LicenseRef-XXXX; no matching spdx id found 
* sbom.json

> grant list sbom.json 
[0000] ERROR unable to get license by ID: LicenseRef-XXXX; no matching spdx id found
* sbom.json

I would like to be able to add SPDX "user defined license reference" (aka LicenseRef) in Grant - for example via the .grants.yaml configuration file.

Why is this needed:

The support of SPDX "user defined license references" (aka LicenseRef) in Grant would be advantageous in conjunction with Syft (creating SBOMs), since Syft sets spdxExpressions in the SBOM. This would enable a seamless and automated check of the licenses.

Additional context:
@ma-ble ma-ble added the enhancement Feature ehnancements label Nov 22, 2024
@willmurphyscode
Copy link
Contributor

It sounds like you have SPDX JSON SBOMs with some user-defined licenses in them, and you'd like grant list and grant check to work with these, so that grant list lists the user-defined license IDs with all the other license IDs, and grant check can be configured to allow or block user defined licenses. Is that correct @ma-ble ?

This would be a great feature, but we have one question about how grant check would work. Because user-defined license IDs are only unique within a particular SBOM, user-defined license License-Ref-0003, for example, might mean something completely different in one SBOM versus another, so just putting allow: License-Ref-0003 in Grant's config might allow two completely different licenses through. One possible solution is that the person putting user defined licenses in the Grant config makes sure that Licenese-Ref-0003 always means the same thing in all their licenses, but this seems like it might be brittle.

@ma-ble please let us know if we've understood correctly, and if you have an opinion on the problem where user defined license refs are only unique within an SBOM.

@ma-ble
Copy link
Author

ma-ble commented Nov 26, 2024
edited
Loading

Your assumptions about my intentions are correct.

We have our own custom SPDX licenses (e.g. License-Ref-0003) that are only valid within our space and would like to be able to check for these licenses with "grant check".

An extension of the Grant`s config so that user-defined SPDX licenses can be entered would be very suitable for this use case.

@willmurphyscode willmurphyscode moved this to Backlog in OSS Nov 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Feature ehnancements
Projects
OSS
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
2 participants
@willmurphyscode @ma-ble