Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow correction / overwrite of license information #3590

Open
markussiebert opened this issue Jan 15, 2025 · 2 comments
Open

Allow correction / overwrite of license information #3590

markussiebert opened this issue Jan 15, 2025 · 2 comments
Labels
enhancement New feature or request

Comments

@markussiebert
Copy link

markussiebert commented Jan 15, 2025
edited
Loading

What would you like to be added:

It would be beneficial to have a feature in Syft that allows users to override and correct license information for packages.
Looking at the configuration options, I couldn't find any option related to correcting license information.

Why is this needed:

In cases where no license or incorrect license information is found. I have observed this issue particularly with npm packages. Generally, this is due to package publishers not maintaining correct license information in their package.json files. However, a glance at the repository or the node_modules folder often reveals the correct license under which the package is published.

Of course it would be good to solve this at the source - in the repositories of the package maintainers, but it would only affect future package versions and might be outside the sphere of influence.

I found other inconsistency, were license information were wrong or misleading. So I think a solution to overwrite might be a valid solution?

What do you think?

Additional context:

I could imagine something like:

licenseOverwrite:
- purl: pkg:npm/%40ogma/[email protected]     # Maybe allow things like 1.x >1.0.0<1.5.0
  data:
    value: "MIT"
    spdxExpression: "MIT"
    type: "declared"                                           # Maybe "concluded"
    urls:
      - https://www.npmjs.com/package/@ogma/common?activeTab=code
@markussiebert markussiebert added the enhancement New feature or request label Jan 15, 2025
@spiffcs spiffcs moved this to Backlog in OSS Jan 15, 2025
@spiffcs
Copy link
Contributor

spiffcs commented Jan 15, 2025

This doesn't help for this particular package, but syft will reach out to npm and populate license data with the following setting: SYFT_JAVASCRIPT_SEARCH_REMOTE_LICENSE=true

This issue asks for cases where even the npm data is incorrect and we want to override. This would also be useful if someone wishes to record the license of some proprietary library that is not available online or who's license data is not available to syft by other means.

@markussiebert
Copy link
Author

yes, was aware of the flag SYFT_JAVASCRIPT_SEARCH_REMOTE_LICENSE but still there are information missing and I have the need to overwrite licenses.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
OSS
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
2 participants
@markussiebert @spiffcs