Dne 03. 03. 24 v 20:22 Philippe Ombredanne napsal(a):
It is mostly based on google/licenseclassifier which had a single
commit in the last 17 months, and this means this is not more
maintained than askalono (and frankly both are fairly lightweight
tools for license detection). Trivy adds SPDX expression parsing on
top of the google/licenseclassifier and that's it. I would not rely on
these for anything serious and certainly not to scan code for license
prior to its inclusion in Fedora.
On the other hand, you can have custom config
https://aquasecurity.github.io/trivy/v0.49/docs/scanner/license/#custom-classification
and we can easily generate config for trivy from fedora-license-data. So you will have clacification specifically for
Fedora.
If you want robust license detection, consider using ScanCode [2] and
Scancode.io [3] for more complex pipelines. Both are tools that I
co-maintain and are considered as better tools for this. Do not
hesitate to reach out for help!
*nod*
It would welcome if anyone can help Robert here:
https://bugzilla.redhat.com/show_bug.cgi?id=2235055
--
Miroslav Suchy, RHCA
Red Hat, Manager, Packit and CPT, #brno, #fedora-buildsys
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
