Replies: 1 comment
-
The file to edit seems to be pkg/licensing/normalize.go . I'll probably get around to making a pull request eventually, but I'm new to Go and Mage, and nothing's compiling yet... |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Description
I've been doing postprocessing on Trivy's license output. A recent scan found (in package metadata) thousands of licenses listed as "unknown" category and severity, but actually just about all of them (minus a few commercial) are easily-identifiable variations on standard license names, like "MIT License" or "MIT license" or "CPL".
I've written a simple dictionary lookup to supply the correct category and severity for those cases.
Why can't Trivy do the same?
Example of a Python dictionary attached.
names_dico_copy.txt
With that dictionary defined, correcting the data looks like this:
try:
[lic_class, lic_severity] = LICENSE_CORRECTIONS[lic_name]
except KeyError: # license name not found in dictionary of "known unknowns"
pass # leave category and severity unchanged
(One should probably also edit the license name into a normalized form, when it's unambiguous. ("Apache 2" => "Apache-2.0" ). I haven't implemented that yet because in my primary use case I pretty much only care about the severity, but my dictionary code already lists the SPDX identifier of each license, in comments.)
Target
Filesystem
Scanner
License
Beta Was this translation helpful? Give feedback.
All reactions