I can only speak to what my understanding of SPDX 2.x is. However, before getting to that, I would ask exactly what you mean by "invalid licenses"? Are these files that have some license text that a tool cannot understand? Are these files that declare licenses something like "WTFPL+" that doesn't match the official SPDX license list?
In SPDX 2.x, there is an "OtherLicenses" section which is used for (as I understand it) licenses that are not "official SPDX licenses", where you can include text and other information and reference these from other SPDX elements. If a tool encounters what it believes to be license information, but it isn't an official SPDX license value, these can be included in the "OtherLicenses" section. Does this answer your question? Cheers, -Keith On Thu, Mar 16, 2023 at 2:41 PM Anthony Harrison < [email protected]> wrote: > Team > > In generating SBOMs, I am encountering a lot of issues with licence > information obtained from either ecosystem meta data or actual source files > most do not appear to be using SPDX license identifiers. If I report the > actual licence text then the generated SBOM is invalid; however reporting > it as NOSASSERTION or NONE doesn’t seem correct because the author has made > some attempt at identifying the license albeit incorrectly. > > What is the correct behaviour when an invalid license is detected? > > Regards > > Anthony Harrison > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5041): https://lists.spdx.org/g/Spdx-tech/message/5041 Mute This Topic: https://lists.spdx.org/mt/97657161/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
