Dne 03. 03. 24 v 20:22 Philippe
Ombredanne napsal(a):
It is mostly based on google/licenseclassifier which had a single commit in the last 17 months, and this means this is not more maintained than askalono (and frankly both are fairly lightweight tools for license detection). Trivy adds SPDX _expression_ parsing on top of the google/licenseclassifier and that's it. I would not rely on these for anything serious and certainly not to scan code for license prior to its inclusion in Fedora.
On the other hand, you can have custom config
https://aquasecurity.github.io/trivy/v0.49/docs/scanner/license/#custom-classification
and we can easily generate config for trivy from
fedora-license-data. So you will have clacification specifically
for Fedora.
If you want robust license detection, consider using ScanCode [2] and Scancode.io [3] for more complex pipelines. Both are tools that I co-maintain and are considered as better tools for this. Do not hesitate to reach out for help!
*nod*
It would welcome if anyone can help Robert here:
https://bugzilla.redhat.com/show_bug.cgi?id=2235055
-- Miroslav Suchy, RHCA Red Hat, Manager, Packit and CPT, #brno, #fedora-buildsys
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
