Allow the advisor to filter packages by license classification

oss-review-toolkit / ort

A suite of tools to automate software compliance checks.

https://oss-review-toolkit.org

Apache License 2.0

1.6k stars 309 forks source link

Allow the advisor to filter packages by license classification #6081

Open sschuberth opened 1 year ago

sschuberth commented 1 year ago

Users might not want to disclose the names of (company-)internal packages in the lookup at (public) vulnerability providers. A way to address that would be to have configurable license classification filter for the advisor, so that only packages with licenses of the configured classifications (e.g. only Open Source licenses) are being looked up at the vulnerability provider.

sschuberth commented 1 year ago

(e.g. only Open Source licenses) are being looked up at the vulnerability provider.

This specific check could be implemented way simpler by just trying to look up the license in the SPDX list.

sschuberth commented 4 months ago

Also a more generic (Script based?) approach could be implemented that also addresses the needs of https://github.com/oss-review-toolkit/ort/issues/4892.