You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Which, while technically valid per the spec, is not what I would expect, and causes problems with other tools.
A low-impact fix could be something like "if no fields on the license are specified, or all specified fields are empty, then treat the license as if it does not exist." Then this plugin would output this for the dependency: "licenses" : [] and everything would work out.
The text was updated successfully, but these errors were encountered:
So I know this is a bit of an edge case. We generate BOMs with this plugin (version 2.7.9), merge them with cyclonedx-cli, and a third-party service validates them. For some dependencies, we're using an older version that does not specify the license correctly. Validation fails. Here is one of the offending dependencies, at the offending version: https://github.com/aliyun/aliyun-openapi-java-sdk/blob/5f06fdae064c6f87fc9494894a8ef849557f99c8/aliyun-java-sdk-ram/pom.xml#L41
Their pom.xml looks like this:
Which this plugin generates to:
Which, while technically valid per the spec, is not what I would expect, and causes problems with other tools.
A low-impact fix could be something like "if no fields on the license are specified, or all specified fields are empty, then treat the license as if it does not exist." Then this plugin would output this for the dependency:
"licenses" : []
and everything would work out.The text was updated successfully, but these errors were encountered: