Hi Anthony,
My suggestion is to report the license as stated in the Declared License <https://spdx.github.io/spdx-spec/v2.3/package-information/#715-declared-license-field> property, even though invalid, and use either NOASSERTION (or better yet) the correct license in the Concluded License <https://spdx.github.io/spdx-spec/v2.3/package-information/#713-concluded-license-field> field. I would also recommend adding a comment in the Comments on License Field <https://spdx.github.io/spdx-spec/v2.3/package-information/#716-comments-on-license-field> explaining the error. Hope that helps, Gary From: [email protected] <[email protected]> On Behalf Of Anthony Harrison Sent: Thursday, March 16, 2023 11:41 AM To: [email protected] Subject: [spdx-tech] Handling invalid licenses Team In generating SBOMs, I am encountering a lot of issues with licence information obtained from either ecosystem meta data or actual source files most do not appear to be using SPDX license identifiers. If I report the actual licence text then the generated SBOM is invalid; however reporting it as NOSASSERTION or NONE doesn’t seem correct because the author has made some attempt at identifying the license albeit incorrectly. What is the correct behaviour when an invalid license is detected? Regards Anthony Harrison -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5043): https://lists.spdx.org/g/Spdx-tech/message/5043 Mute This Topic: https://lists.spdx.org/mt/97657161/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
