Comments (6)
armintaenzertng
commented on June 20, 2024
Hi @meer-khan, please refer to this section in the SPDX specification or the spec example. Custom licenses have to be defined separately in an SPDX document and then referenced by their LicenseRef.
from tools-python.
meer-khan
commented on June 20, 2024
Hi @armintaenzertng ,
I appreciate your quick response to my previous query. I would like to seek further clarification on a specific aspect of the spdx-tools library.
Could you please provide insights into how we can identify licenses that are not part of the SPDX license list? Specifically, I am looking for guidance on distinguishing licenses that require separate definition in an SPDX document and subsequent referencing through LicenseRef. Currently, when we validate the entire document using spdx-tools, warnings are generated for non-SPDX licenses. In our use case, it is crucial to ascertain which licenses fall outside the SPDX scope before initiating the package creation process. This enables us to define all non-SPDX licenses in the document upfront, facilitating a smooth progression through subsequent stages.
Your expertise on this matter would be immensely valuable, and I look forward to your guidance.
from tools-python.
maxhbr
commented on June 20, 2024
Could you please provide insights into how we can identify licenses that are not part of the SPDX license list?
We use the library nexB/license-expression/ and that can provide you with a list of invalid names, e.g. foo in the following example:
>>> licensing.validate('foo and MIT and GPL-2.0+')
ExpressionInfo(
original_expression='foo and MIT and GPL-2.0+',
normalized_expression=None,
errors=['Unknown license key(s): foo'],
invalid_symbols=['foo']
)
But SPDX is rather strict on that: licenses must be either from the license list or present as ExtractedLicensingInfo.
And I am also confused by CSV. There is no CSV SPDX format and the plain list format seems to be insufficient to contain the hierarchical data. Can you explain what you are doing here?
If you want to extend the tools capabilities for your use case, I am happy to work with you on a contribution from your side for that.
from tools-python.
meer-khan
commented on June 20, 2024
Hi @maxhbr I would love to discuss the use case I am working on. Can you share your email, I will brief you about all details there. and Yes I am positive that we can extend the capabilities of this tool based on my experience of working on SBOMs for clients and Technical Teams.
from tools-python.
maxhbr
commented on June 20, 2024
This Thursday (December 21th, 2023, 9:00am to 9:30am, (UTC-08:00) Pacific Time - Los Angeles) is the public python tools meeting. You can join there to discuss it. You should be able to see the invite in the calendar attached to the groups.io mailing-list on https://spdx.dev/engage/participate/technical-team/.
These lists are also a good place for discussions.
from tools-python.
meer-khan
commented on June 20, 2024
Sure, thank you for providing me with this meeting update I also got email addresses where I can share my experience with SBOMs in SPDX and CycloneDX.
Thanks again @maxhbr @armintaenzertng
from tools-python.
Related Issues (20)
- Exception not catched with LicenseRef- containing slash HOT 2
- Ugly error for nonexisting file HOT 1
- Valid SPDX cannot be converted from JSON to tag:value HOT 1
- Ugly error message when the JSON syntax is not correct HOT 1
- Question of generation SBOM HOT 3
- Be more lenient when parsing "true" and "false" in tag-value
- Adding NOASSERTION/NONE to DocumentRef in relationships as per the spdx v2.3 spec HOT 3
- Converting valid JSON SPDX file to tag:value gives invalid SPDX
- would like to package - but the name is unsuitable HOT 1
- Slow for SBOMs with a large number of files + relationships HOT 1
- F
- Would like an option to omit files from graph
- `create_list_without_duplicates` Function Can be Sped Up By Using Set
- Incorrect cpe23Type validation? HOT 2
- Relationship with Package Section HOT 2
- Failed to convert spdx to xml with Annotation HOT 1
- Error while calling SPDX parse_file() API inside thread function
- Remove unused semantic_version module HOT 1
- Why use uritools instead of the standard library urllib? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tools-python.