Closed jkowalleck closed 6 months ago
this tool does not collect license evidences, nor does it analyze them. all it does is collect the licenses as declared in package manifest files.
therefore, the licenses should be marked as "declared" - which is possible since CycloneDX 1.6 see the docs: https://cyclonedx.org/docs/1.6/json/#components_items_licenses_oneOf_i0_items_license_acknowledgement
depends on https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1051
jkowalleck
commented
7 months ago jkowalleck
commented
7 months ago
this tool does not collect license evidences, nor does it analyze them. all it does is collect the licenses as declared in package manifest files.
therefore, the licenses should be marked as "declared" - which is possible since CycloneDX 1.6 see the docs: https://cyclonedx.org/docs/1.6/json/#components_items_licenses_oneOf_i0_items_license_acknowledgement