Open xnox opened 6 months ago
Description
Please add a new lint check. Use a license detector (for example https://github.com/go-enry/go-license-detector/tree/master) to detect the SPDX license of given package.
Compare it to the declared SPDX license. And raise a warning if they missmatch.
Allow humans to fix the license to match to the detected one. Or override the lint check with #nolint in case of confusing / undetectable licensing.
#nolint
Real world example on a large code base
$ time license-detector /tmp/gcc-13.2.0 /tmp/gcc-13.2.0 99% GCC-exception-3.1 99% LGPL-2.1-only 99% deprecated_LGPL-2.1 99% LGPL-2.1-or-later 99% deprecated_LGPL-2.1+ 98% deprecated_GPL-3.0-with-GCC-exception 97% deprecated_GPL-2.0+ 97% GPL-2.0-or-later 97% GPL-2.0-only 97% deprecated_GPL-2.0 real 0m4.400s user 0m5.240s sys 0m0.171s
Declared license in the package
$ git grep license gcc.yaml gcc.yaml: - license: GPL-3.0-or-later
Which is incorrect.
Oh it can work on git repos too.... i wonder if i can just run that tool across all of wolfi and generate a report.
Description
Please add a new lint check. Use a license detector (for example https://github.com/go-enry/go-license-detector/tree/master) to detect the SPDX license of given package.
Compare it to the declared SPDX license. And raise a warning if they missmatch.
Allow humans to fix the license to match to the detected one. Or override the lint check with
#nolint
in case of confusing / undetectable licensing.Real world example on a large code base
Declared license in the package
Which is incorrect.