license type and severity - LGPL should not be the same category as GPL

[nartreb]

Description

I realise this is more of a design decision than a bug, but not sure where else to ask about it.

My customers are mostly businesspeople involved in the closed-source world. The biggest worry they have, and the biggest reason they want to scan code, is the accidental inclusion of code under a "strong copyleft" licenses, like GPL and AGPL. These roughly correspond to the HIGH and CRITICAL severities in Trivy's output.

Meanwhile they are much more comfortable with "weak copyleft" licenses like MPL or EPL - which trivy grades as MEDIUM severity.

I feel like I speak for a solid majority of the legal and business world when I say that the LGPL is more like MPL than like GPL, in terms of its "severity". I am currently post-processing trivy output so that LGPL shows as MEDIUM , letting me prioritize the real HIGH (and of course CRITICAL and UNKNOWN) -severity issues.

Aside from backward compatibillity, is there a reason why trivy rates the LGPL as "HIGH"?

(On a related note, the categories are slightly confusing. Surely GPL is a "reciprocal" license too. )

I think the relevant code is pkg/licensing/category.go, which defines ForbiddenLicenses (which corresponds to CRITICAL in the output) , RestrictedLicenses ( => HIGH) , ReciprocalLicenses ( => MEDIUM ), NoticeLicenses (=> LOW), and UnencumberedLicense (=> also LOW).

(Hey... line 193 in category.go . Why is WTFPL in the "forbidden" category??? It should be in "unencumbered" . )

Desired Behavior

LGPL (all versions) should show up in trivy license scan output as MEDIUM severity.

Actual Behavior

LGPL (all versions) rank as HIGH severity

Reproduction Steps

scan any code containing a package declared as LGPL, or scan a directory containing a copy of the LGPL (any version)

Target

Filesystem

Scanner

License

Output Format

Table

Mode

Standalone

Debug Output

n/a

Operating System

any

Version

0.51.2

Checklist

• Run trivy clean --all
• Read the troubleshooting

[knqyf263]

Please reference the document.
https://aquasecurity.github.io/trivy/v0.53/docs/scanner/license/

As documented, the category is defined according to Google License Classification.

Also, Google has a library classifying licenses.
https://github.com/google/licenseclassifier

Our approach is defining the default category based on the library's category, and making it customizable. You can customize the categories of LGPL, WTFPL, etc.

[nartreb]

Thanks, that makes sense. It's probably not worth your effort to maintain a version of the code that's different from Google's, but I can't resist noting that Google's document calls out LGPL as not really belonging in the same category as GPL. Also it lists WTFPL as a "notice" license, which is still technically not correct, but at least it's the right severity level.
The documentation for customizing categories is not very clear. I see how to generate a Yaml file, and editing it is easy... but then what? How do I tell trivy to use the new yaml file? Does trivy always look for a file named "trivy.yaml" in some particular location?

[knqyf263]

https://aquasecurity.github.io/trivy/v0.53/docs/references/configuration/config-file/

[nartreb]

That doesn't actually say what the default path to the config file is. I'm guessing it's the current directory, since that's what your doc says for trivy-secret.yaml.
IMO that needs to be crystal clear in the documentation, since it's a recipe for inconsistent behavior. I've got trivy installed in /usr/local/bin, I don't expect to be in any particular directory when I call it, so I'll need to remember to use the --config flag every time. (OK, I'd set up an alias instead, but the point is: I wouldn't know I need to do that just by reading the documentation.)

[knqyf263]

OK, we'll update the document.