Gather all License Texts for License Compliance #787
Description
PR #573 brought support to include license text IF the manifest has a license-file declared. Unfortunately, most libraries do not declare their license-file in the manifest but have a LICENSE, COPYING or other license file lying around in their source.
For Opensource License Compliance the exact license texts of all the dependencies should be passed on to the user of a software. It is too bad we have a beautiful SBOM but cannot really use it for this use case yet.
It would be great if there is a possibility with cargo-cyclonedx to --gaterher-license-texts on a empirical basis trying to guess the license file based on the license specifier, or if not specified search the source for known licenses.
for similar requirements also see:
- feat: Add complete License-Text to cyclonedx bom cyclonedx-python#570
- FEAT: Option to add license text to SBOM result cyclonedx-node-npm#256
A possible helpful library to help implementing this (not further investigated) could be:
Maybe there should be applied a cascading process:
- 1. take text from license-file if declared in the manifest
- 2. try to determine the license-file based on guesses, take the text if found. This could include crawling for license files within the source code of the package. (askalono crawl ...). If found also include the spdx identifier + full text in the SBOM.
- 3. try to download the license text if a valid spdx identifier found, but no license file found
- 4. Maybe even let the user pass in spdx specifiers or license files for puml specifiers, in a config file or on the commandline, to account for all the other cases.