Description
What would you like to be added:
The python-installed-package-cataloger cataloger could employ a heuristic to determine whether the License field in package metadata contains a license descriptor or the full license text.
For example, if a certain number of newlines and text length are exceeded, the value could be considered the full text.
When it's determined to be the full text, it should be added as such to the SBOM. In CycloneDX, that means creating a license object such as:
"license": {
"name": "Found in <path>",
"text": {
"content": "<full text>"
}
}
Why is this needed:
The License field isn't clearly defined. While in my experience, most packages just put down a license name or even SPDX id, it is not uncommon to find the full text in there.
For example, pandas uses it this way.
Additional context:
This would fit well with #656. If a full text is identified, it could immediately be classified.
License field might be deprecated if PEP-639 get's approved. Still, even then I believe this issue will stay relevant for years to come.
Metadata
Metadata
Assignees
Type
Projects
Status