Open
Description
Gathering license evidence is a common feature of downstream users.
As a library, this should be centralized in here, so that maintenance efforts are minimized.
currently known implementations downstream:
- for webpack: https://github.com/CycloneDX/cyclonedx-webpack-plugin/blob/72700f06d00eac79fa3b91fe838bd78c583346a2/src/extractor.ts#L133-L173
- for yarn: upcoming via Extraction of license text from files. cyclonedx-node-yarn#193
- for npm via feat: Add license text as evidence cyclonedx-node-npm#1243
related downstream issues
Requirements
license for evidence
- have no acknowledgement -- they are observed
- have a name that expresses their origin --
file: ${filePath} - have the full license texts as attachment
- are base64 encoded, when auto-detected, just to be save
- have an appropriate content type of
text/...
files to take into account
/^LICEN[CS]E/i-- general file pattern/.LICEN[CS]E$/i-- common file pattern for multi-license projects/^NOTICE$/-- file with this exact name is relevant in terms of Apache-2.0 license
text content type
like so
const MAP_TEXT_EXTENSION_MIMETYPE: Readonly<Record<string, MimeType>> = {
'': 'text/plain', // our scope is text!
'.csv': 'text/csv',
'.htm': 'text/html',
'.html': 'text/html',
'.licence': 'text/plain',
'.license': 'text/plain',
'.md': 'text/markdown',
'.rst': 'text/prs.fallenstein.rst',
'.txt': 'text/plain',
'.xml': 'text/xml' // not `application/xml` -- our scope is text!
} as constadditional license-file related file extensions
.apache.apache2<<- missing in most implementations.bsd.mit.gpl
...
to be continued