SPDX PackageLicenseDeclared should be NOASSERTION #660
Labels
bug
Something isn't working
good-first-issue
Good for newcomers
license
relating to software licensing
What happened:
Running
syft photon:3.0 -o spdx
thePackageLicenseDeclared
for all packages is listed asNONE
. According to the SPDX spec, however,NONE
should only be used if "the package contains no license information whatsoever". The photon packages do contain license information, however, soNOASSERTION
should be the value ofPackageLicenseDeclared
since a license is available but not provided.What you expected to happen:
At a minimum,
NOASSERTION
should be the value of PackageLicenseDeclared (and probably PackageLicenseConcluded). Ideally, the License or LicenseRef for the package would be listed since the license is provided in the json format:How to reproduce it (as minimally and precisely as possible):
syft photon:3.0 -o spdx
Anything else we need to know?:
https://spdx.github.io/spdx-spec/package-information/
Version: 0.32.0
The text was updated successfully, but these errors were encountered: