-
DescriptionI realise this is more of a design decision than a bug, but not sure where else to ask about it. My customers are mostly businesspeople involved in the closed-source world. The biggest worry they have, and the biggest reason they want to scan code, is the accidental inclusion of code under a "strong copyleft" licenses, like GPL and AGPL. These roughly correspond to the HIGH and CRITICAL severities in Trivy's output. Meanwhile they are much more comfortable with "weak copyleft" licenses like MPL or EPL - which trivy grades as MEDIUM severity. I feel like I speak for a solid majority of the legal and business world when I say that the LGPL is more like MPL than like GPL, in terms of its "severity". I am currently post-processing trivy output so that LGPL shows as MEDIUM , letting me prioritize the real HIGH (and of course CRITICAL and UNKNOWN) -severity issues. Aside from backward compatibillity, is there a reason why trivy rates the LGPL as "HIGH"? (On a related note, the categories are slightly confusing. Surely GPL is a "reciprocal" license too. ) I think the relevant code is pkg/licensing/category.go, which defines ForbiddenLicenses (which corresponds to CRITICAL in the output) , RestrictedLicenses ( => HIGH) , ReciprocalLicenses ( => MEDIUM ), NoticeLicenses (=> LOW), and UnencumberedLicense (=> also LOW). (Hey... line 193 in category.go . Why is WTFPL in the "forbidden" category??? It should be in "unencumbered" . ) Desired BehaviorLGPL (all versions) should show up in trivy license scan output as MEDIUM severity. Actual BehaviorLGPL (all versions) rank as HIGH severity Reproduction Stepsscan any code containing a package declared as LGPL, or scan a directory containing a copy of the LGPL (any version) TargetFilesystem ScannerLicense Output FormatTable ModeStandalone Debug Outputn/a Operating Systemany Version0.51.2 Checklist
|
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
-
Please reference the document. As documented, the category is defined according to Google License Classification. Also, Google has a library classifying licenses. Our approach is defining the default category based on the library's category, and making it customizable. You can customize the categories of LGPL, WTFPL, etc. |
Beta Was this translation helpful? Give feedback.
-
Thanks, that makes sense. It's probably not worth your effort to maintain a version of the code that's different from Google's, but I can't resist noting that Google's document calls out LGPL as not really belonging in the same category as GPL. Also it lists WTFPL as a "notice" license, which is still technically not correct, but at least it's the right severity level. |
Beta Was this translation helpful? Give feedback.
Please reference the document.
https://aquasecurity.github.io/trivy/v0.53/docs/scanner/license/
As documented, the category is defined according to Google License Classification.
Also, Google has a library classifying licenses.
https://github.com/google/licenseclassifier
Our approach is defining the default category based on the library's category, and making it customizable. You can customize the categories of LGPL, WTFPL, etc.