Support SPDX license expressions in License Compliance (scanning & approval)
Release notes
Problem to solve
Right SPDX license expressions and composite licenses aren't supported when detecting licenses of project dependencies and when applying license policies.
In particular, there's no distinction between these two cases:
- Conjunctive "AND" Operator: all licenses must be approved
- Disjunctive "OR" Operator: any license can be approved
SPDX license expression syntax v2.0 is supported by npm.
Proposal
- Update the external license DB detection capabilties to support composite licenses
- Update the SBOM License Scanner and related data store in the rails platform to support composite licenses
- Update License Approval Policies to define and apply policies compatible with composite licenses (to be addressed in Spike: Update security policies to support comp... (#424827))
Edited by Grant Hickman