Team In generating SBOMs, I am encountering a lot of issues with licence information obtained from either ecosystem meta data or actual source files most do not appear to be using SPDX license identifiers. If I report the actual licence text then the generated SBOM is invalid; however reporting it as NOSASSERTION or NONE doesn’t seem correct because the author has made some attempt at identifying the license albeit incorrectly.
What is the correct behaviour when an invalid license is detected? Regards Anthony Harrison -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5040): https://lists.spdx.org/g/Spdx-tech/message/5040 Mute This Topic: https://lists.spdx.org/mt/97657161/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
