We must adopt the SPDX License List. Because SPDX license identifiers are precise, unambiguous, short and become to be adopted little by little (see more details).
The exact matching with the SPDX id means the exact license name and version, which in turn means the exact license type.
SPDX id exact matching must be a prioritized way of license name/type detection with the fallback to existing heuristics.
Having an unambiguous license identifier means that in addition to excluding licenses with the --exclude-license REGEX option we could also exclude licenses by predefined identifiers.
Preliminary TODO
Introduce SPDX ids map (Clojure's keyword to a string holding a SPDX id)
Introduce a mapping SPDX id to License type (public domain, permissive, weak/strong/network copyleft, proprietory, etc.)
Revise existing regex (PCRE) to match a license's SPDX id, instead of a license type.
See SPDX matching guidelines
PCRE -> SPDX id -> License type
Include SPDX id to the report's output (sure enough, only
free/libre/open-source licenses expected to have an SPDX id, others should get an NA or equivalent)
| Package | License Name | License ID | License Type |
| package1:0.1.2 | Apache 2.0 License | Apache-2.0 | Permissive |
| package2:3.141592 | GNU General Public License v2 or any later | GPL-2.0-or-later | StrongCopyleft |
| package3:21.09 | Other/Proprietary License (EULA) | NA | Other |
| package4 | GPL-3.0 Linking Exception | GPL-3.0-linking-exception | WeakCopyleft |
| package5:2.19.2 | null | NA | Error |
Could be, possibly, an optional column turned on/off with the option flag?
Introduce --exclude-license-id option to exclude by SPDX id
Introduce --fail-license-id option to fail if a package with the provided license SPDX id found
Introduce stats for SPDX ids found with --stats-by-license-id option
(breaking change) Change --with-totals to --stats-by-license-type to provide stats for license types found a
pilosus
commented
3 years ago
We must adopt the SPDX License List. Because SPDX license identifiers are precise, unambiguous, short and become to be adopted little by little (see more details).
The exact matching with the SPDX id means the exact license name and version, which in turn means the exact license type. SPDX id exact matching must be a prioritized way of license name/type detection with the fallback to existing heuristics.
Having an unambiguous license identifier means that in addition to excluding licenses with the
--exclude-license REGEXoption we could also exclude licenses by predefined identifiers.Preliminary TODO
NAor equivalent)Could be, possibly, an optional column turned on/off with the option flag?
--exclude-license-idoption to exclude by SPDX id--fail-license-idoption to fail if a package with the provided license SPDX id found--stats-by-license-idoption--with-totalsto--stats-by-license-typeto provide stats for license types found a