Comments (5)
Yes, Dependency-Track will eventually support SPDX license expressions. Currently it's limited to a single SPDX ID, or an unresolved license name. IMO, I would leave the current rust implementation as-is, because its outputting exactly what it should be.
from cyclonedx-rust-cargo.
@UgniusV DT supports SPDX license IDs, but does not currently support SPDX license expressions. Refer to DependencyTrack/dependency-track#170 for updates. PR's are also welcome :-)
from cyclonedx-rust-cargo.
I'll let the maintainers comment on the implementation differences, but Dependency Track does not currently support expressions or evidence, only license id and name.
from cyclonedx-rust-cargo.
Hello! Thank you for opening an issue. We output licenses as expressions, because the Cargo manifest format definition of the license
field indicates that it will be a SPDX license expression. The Rust community tends to default to MIT OR Apache-2.0
by community convention, so this field will probably rarely be a single license.
@stevespringett is there a plan for Dependency Track to support license expressions?
We could probably use something like the spdx
crate to parse the expression into individual licenses and emit a single license where possible as a compatibility solution, but we might not be able to handle complex SPDX expressions (e.g. ones containing AND
, OR
, or WITH
clauses).
from cyclonedx-rust-cargo.
Great, thanks for the information! Is there any ETA for when DT adds SPDX license support?
from cyclonedx-rust-cargo.
Related Issues (20)
- Download crates in parallel HOT 1
- Ship 0.4.0 HOT 1
- SBOM configuration via `Cargo.toml` appears harmful HOT 2
- Allow emitting SBOM for a specific platform
- Include information on dependency origin (crates.io, git, custom registry) HOT 1
- `bom-ref` field is not actually unique
- Allow selecting Cargo features: `--no-default-features`, `--all-features`, `--features=...`
- Reproducible SBOMs
- Include hashes for components HOT 2
- `cargo cyclonedx` v0.4.0 release checklist HOT 1
- Record the target platform in the SBOM
- Don't log non-fatal issues as errors
- Capture data only available during the build process HOT 3
- Add support for `cargo binstall` HOT 8
- Add a "-V" / "--version" flag to print the current version
- Make bom-ref use relative paths for workspace items as well HOT 6
- Provide an easy way to map an artifact to a SBOM
- Present `cargo metadata` output to the user even when there are no errors
- Use a license id or name instead of an expression if there is only one license
- Support `license-file`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cyclonedx-rust-cargo.