mirror of
https://github.com/anchore/syft.git
synced 2025-11-18 00:43:20 +01:00
42fa9e4965
this PR makes the following changes to update the underlying license model to have more expressive capabilities it also provides some guarantee's surrounding the license values themselves - Licenses are updated from string -> pkg.LicenseSet which contain pkg.License with the following fields: - original `Value` read by syft - If it's possible to construct licenses will always have a valid SPDX expression for downstream consumption - the above is run against a generated list of SPDX license ID to try and find the correct ID - SPDX concluded vs declared is added to the new struct - URL source for license is added to the new struct - Location source is added to the new struct to show where the expression was pulled from
40 lines
854 B
Go
40 lines
854 B
Go
package licenses
|
|
|
|
import (
|
|
"io"
|
|
|
|
"github.com/google/licensecheck"
|
|
|
|
"github.com/anchore/syft/syft/license"
|
|
"github.com/anchore/syft/syft/pkg"
|
|
"github.com/anchore/syft/syft/source"
|
|
)
|
|
|
|
const (
|
|
coverageThreshold = 75
|
|
unknownLicenseType = "UNKNOWN"
|
|
)
|
|
|
|
// Parse scans the contents of a license file to attempt to determine the type of license it is
|
|
func Parse(reader io.Reader, l source.Location) (licenses []pkg.License, err error) {
|
|
licenses = make([]pkg.License, 0)
|
|
contents, err := io.ReadAll(reader)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
cov := licensecheck.Scan(contents)
|
|
if cov.Percent < coverageThreshold {
|
|
// unknown or no licenses here?
|
|
return licenses, nil
|
|
}
|
|
|
|
for _, m := range cov.Match {
|
|
lic := pkg.NewLicenseFromLocations(m.ID, l)
|
|
lic.Type = license.Concluded
|
|
|
|
licenses = append(licenses, lic)
|
|
}
|
|
|
|
return licenses, nil
|
|
}
|