fix(spdx): use `hasExtractedLicensingInfos` for licenses not in the SPDX license list #7721

DmitriyLewen · 2024-10-14T06:27:09Z

Description

We can only use licenses from SPDX license list in licenseConcluded and licenseDeclared fields.
For other licenses, we should create new LicenseRef-* component (see hasExtractedLicensingInfos field - https://spdx.github.io/spdx-spec/v2.3/SPDX-license-expressions/#d46-license-expressions-in-rdf) and use this component in licenseConcluded and licenseDeclared
See more details here - #7716

The text was updated successfully, but these errors were encountered:

DmitriyLewen · 2024-10-31T07:25:25Z

There are cases when we use text:// prefix for licenses.
We need to create LicenseRef-* component for these licenses and remove this prefix.

See #7829 for more details.

DmitriyLewen added the kind/bug Categorizes issue or PR as related to a bug. label Oct 14, 2024

DmitriyLewen changed the title ~~fix(spdx): use~~ fix(spdx): use hasExtractedLicensingInfos for licenses not in the SPDX license list Oct 14, 2024

knqyf263 added scan/sbom Issues relating to SBOM scan/license Issues relating to license scanning labels Oct 14, 2024