Use SPDX license identifiers #85
Description
We must adopt the SPDX License List. Because SPDX license identifiers are precise, unambiguous, short and become to be adopted little by little (see more details).
The exact matching with the SPDX id means the exact license name and version, which in turn means the exact license type.
SPDX id exact matching must be a prioritized way of license name/type detection with the fallback to existing heuristics.
Having an unambiguous license identifier means that in addition to excluding licenses with the --exclude-license REGEX option we could also exclude licenses by predefined identifiers.
Preliminary TODO
- Introduce SPDX ids map (Clojure's keyword to a string holding a SPDX id)
- Introduce a mapping SPDX id to License type (public domain, permissive, weak/strong/network copyleft, proprietory, etc.)
- Revise existing regex (PCRE) to match a license's SPDX id, instead of a license type.
See SPDX matching guidelines
PCRE -> SPDX id -> License type
- Include SPDX id to the report's output (sure enough, only
free/libre/open-source licenses expected to have an SPDX id, others should get anNAor equivalent)
| Package | License Name | License ID | License Type |
| package1:0.1.2 | Apache 2.0 License | Apache-2.0 | Permissive |
| package2:3.141592 | GNU General Public License v2 or any later | GPL-2.0-or-later | StrongCopyleft |
| package3:21.09 | Other/Proprietary License (EULA) | NA | Other |
| package4 | GPL-3.0 Linking Exception | GPL-3.0-linking-exception | WeakCopyleft |
| package5:2.19.2 | null | NA | Error |
Could be, possibly, an optional column turned on/off with the option flag?
- Introduce
--exclude-license-idoption to exclude by SPDX id - Introduce
--fail-license-idoption to fail if a package with the provided license SPDX id found - Introduce stats for SPDX ids found with
--stats-by-license-idoption - (breaking change) Change
--with-totalsto--stats-by-license-typeto provide stats for license types found a