You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is currently no standard way for developers to declare their module's license.
Detecting licenses based on files in a repository is a non-trivial task, which is why cyclonedx-gomod
uses pkg.go.dev to resolve module licenses (please read their license disclaimer).
While pkg.go.dev's license matching may be accurate most of the time, BOMs should state facts.
This is why license resolution is an opt-in feature (using the -licenses flag).
If you are a vendor and legally required to provide 100% accurate BOMs, do not use this feature.
We need to include this disclaimer, because the components/licenses node we're currently using represents an assertion.
Since v1.3 of the spec, there's now support for license evidence. Given that we perform error-prone license detection (or leverage services that do it for us), we should put detection results into the component/evidence/licenses node instead.
The text was updated successfully, but these errors were encountered:
Quoting the README:
We need to include this disclaimer, because the
components/licenses
node we're currently using represents an assertion.Since v1.3 of the spec, there's now support for license evidence. Given that we perform error-prone license detection (or leverage services that do it for us), we should put detection results into the
component/evidence/licenses
node instead.The text was updated successfully, but these errors were encountered: