feat(license): Support for deep license scanning for finding concluded licenses #7347
hrithik-777
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Description
The current implementation of full license scanning in Trivy only checks the manifest files and gets the declared licenses found for each package. Ideally full or deep license scanning should get all the licenses that we can find within the given image / filesystem. i.e licenses found within source code (as headers / code comments), LICENSE documents or any other file where potential license text is present. This is important from a license persona teams who are mainly concerned about the licenses that are present in an artifact, any potential license risks associated with their code.
With the deep license scanning support I added as part of #7344, now it also scans all other files found in the package directory for SBOM, loose licenses (which are not associated with any package defined in SBOM). It applies google license classifier on the each file content and gets the license findings. This actually make sense when we talk about supporting deep license scanning.
Please feel free to let me know your ideas regarding this and I'm happy to hear.
Thanks.
cc: @owenrumney @knqyf263
Target
SBOM
Scanner
License
Beta Was this translation helpful? Give feedback.
All reactions