You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
NPM packages commonly write "UNLICENSED" in the license field to indicate a commercial license. (Which, of course, has no SPDX ID.).
When trivy scans these packages, it (rightly) states the license name as "UNLICENSED", but (wrongly) classifies the license as "unencumbered" and therefore LOW severity.
I think the correct behavior is to classify "UNLICENSED" packages as "unknown" license type, "UNKNOWN" severity.
I'm wondering if somehow "UNLICENSED" is matching into the same category as the "Unlicense" (which IS an unencumbered-category, Low-severity license...
Desired Behavior
Packages that clearly indicate commercial license (i.e., NPM packages with "UNLICENSED" in their license SPDX field) should have their licenses reported in a category suitable for commercial licenses. Since Trivy doesn't have a commercial category, the best category would be "unknown".
Actual Behavior
NPM packages marked "UNLICENSED" are categorized as "unencumbered", with LOW severity.
Reproduction Steps
1. Install an NPM package under commercial license, with SPX-ID field "UNLICENSED".
Here's one: https://www.npmjs.com/package/@license-cop/unlicensed-test-package Alternatively, edit the package.json of an already-installed NPM package: "license": "UNLICENSED",2. Run a trivy license scan on the project or directory where the package is installed.3. Observe the output, you'll find this package's license categorized as "unencumbered", LOW severity.
kind/bugCategorizes issue or PR as related to a bug.
1 participant
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Description
NPM packages commonly write "UNLICENSED" in the license field to indicate a commercial license. (Which, of course, has no SPDX ID.).
When trivy scans these packages, it (rightly) states the license name as "UNLICENSED", but (wrongly) classifies the license as "unencumbered" and therefore LOW severity.
I think the correct behavior is to classify "UNLICENSED" packages as "unknown" license type, "UNKNOWN" severity.
I'm wondering if somehow "UNLICENSED" is matching into the same category as the "Unlicense" (which IS an unencumbered-category, Low-severity license...
Desired Behavior
Packages that clearly indicate commercial license (i.e., NPM packages with "UNLICENSED" in their license SPDX field) should have their licenses reported in a category suitable for commercial licenses. Since Trivy doesn't have a commercial category, the best category would be "unknown".
Actual Behavior
NPM packages marked "UNLICENSED" are categorized as "unencumbered", with LOW severity.
Reproduction Steps
Target
Filesystem
Scanner
License
Output Format
Table
Mode
Standalone
Debug Output
Operating System
linux
Version
Checklist
trivy clean --allBeta Was this translation helpful? Give feedback.
All reactions