Skip to content

feat(license): use separate SPDX ids to ignore SPDX expressions #9045

New issue
New issue
Open
#9087
Open
feat(license): use separate SPDX ids to ignore SPDX expressions#9045
#9087
Labels
help wantedDenotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.kind/featureCategorizes issue or PR as related to a new feature.scan/licenseIssues relating to license scanning
@DmitriyLewen

Description

@DmitriyLewen
DmitriyLewen
opened on Jun 18, 2025

Description

Trivy currently ignores licenses only by full compliance.
e.g. for LGPLv2+ and MIT you need to use LGPLv2+ and MIT (MIT and LGPLv2+ will not work).

Feature

Using license IDs to ignore SPDX expressions.
This means that if the ignore list contains all license identifiers from an SPDX expression, Trivy should ignore that license.
e.g. for LGPLv2+ and MIT you can add LGPLv2+ + MIT.

Required changes:

Changes can be add in this function:

trivy/pkg/result/ignore.go

Lines 180 to 182 in 4cfb2a9

func (c *IgnoreConfig) MatchLicense(licenseID, filePath string) *IgnoreFinding {
return c.Licenses.Match(licenseID, filePath, nil)
}

Needed:

  • check that license is valid SPDX expression
  • split SPDX expression to SPDX IDs
  • use c.Licenses.Match for each SPDX IDs and for SDPX expression

Discussed in #9027

Metadata

Metadata

Assignees

No one assigned

    Labels

    help wantedDenotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.kind/featureCategorizes issue or PR as related to a new feature.scan/licenseIssues relating to license scanning

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions