Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
BSD 2-Clause "Simplified" License
967
stars
188
forks
source link
SPDX 2.3: Update required licensing fields to optional #1180
To Do
The omission of these fields, by default, now assumes a NOASSERTION value. If we want to make some of the generated docs shorter, we can omit these fields if they have a NOASSERTION value. The following fields can be excluded from generated documents if they don't have a valid license/copyright value:
Package Concluded license - 7.13 # 99.99% NOASSERTION in Tern generated docs. We can exclude in this case.
Package Declared license - 7.15 # Usually a license value is provide. If NOASSERTION, though, we can exclude listing it.
Package Copyright text - 7.17
File Concluded license - 8.5
License information in file - 8.6
File Copyright text - 8.8
Snippet Concluded license - 9.5
Snippet Copyright text - 9.8
To implement this change, we should check if a value is provided by these object descriptors. If not, do not list the field instead of printing NOASSERTION as the value.
Description A change to the SPDX 2.3 spec made currently required licensing fields optional.
To Do The omission of these fields, by default, now assumes a NOASSERTION value. If we want to make some of the generated docs shorter, we can omit these fields if they have a NOASSERTION value. The following fields can be excluded from generated documents if they don't have a valid license/copyright value:
To implement this change, we should check if a value is provided by these object descriptors. If not, do not list the field instead of printing
NOASSERTIONas the value.Background List issues for background on the task