Skip to content

Policy violations for custom licenses in SBOM #2451

New issue
New issue
Closed
#2452
Closed
Policy violations for custom licenses in SBOM#2451
#2452
@kaysavps

Description

@kaysavps
kaysavps
opened on Oct 1, 2025

When evaluating the sbom-banned-licenses policy on top of Chainloop OSS the following custom licenses are detected:

Violations

  • Forbidden custom license sha256:b9a6d9320b8f2693e8d41e496ce56caadacaddcca9be2a64a61749278f425cf2 for github.com/cyberphone/json-canonicalization (pkg:golang/github.com/cyberphone/json-canonicalization@v0.0.0-20231011164504-785e29786b46?package-id=7aa1823b05f2a197)
  • Forbidden custom license sha256:cd65721176ce5fdbb05773c0b1349f993b94ce77a51062cfa7a78b34cc82fc71 for github.com/theupdateframework/go-tuf (pkg:golang/github.com/theupdateframework/go-tuf@v0.7.0?package-id=467293498cd334a3)

Further review of these files shows that both have valid licenses for use in Chainloop (Apache 2.0 and MIT or BSD-3-Clause).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions