SPIKE: Support SPDX license expressions in License Compliance (scanning & approval)
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Timebox: 3 days
Release notes
Problem to solve
SPDX license expressions provide a clear, standardized, and machine-readable way to document the software licenses associated with their code, ensuring compliance with open-source licensing obligations. This helps users manage legal risks, meet licensing requirements, and streamline the sharing and reuse of software components across projects or organizations.
Right now SPDX license expressions and composite licenses aren't supported when detecting licenses of project dependencies and when applying license policies.
In particular, there's no distinction between these two cases:
- Conjunctive "AND" Operator: all licenses must be approved
- Disjunctive "OR" Operator: any license can be approved
SPDX license expression syntax v2.0 is supported by npm.
Proposal
- Update the external license DB detection capabilties to support composite licenses
- Update the SBOM License Scanner and related data store in the rails platform to support composite licenses
- Update License Approval Policies to define and apply policies compatible with composite licenses (to be addressed in Spike: Update security policies to support comp... (#424827))
Edited by 🤖 GitLab Bot 🤖