bug(license): Trivy doesn't detect all SPDX license IDs #9491
Description
Description
Trivy detects SPDX license IDs by using
trivy/pkg/licensing/expression/category.go
Lines 429 to 433 in aec8885
However, the license categories don’t include all SPDX license IDs:
Missed SPDX license IDs
- 3D-Slicer-1.0
- AAL
- ADSL
- AMD-newlib
- AMDPLPA
- AML
- AML-glslang
- AMPAS
- ANTLR-PD
- ANTLR-PD-fallback
- APAFML
- APL-1.0
- ASWF-Digital-Assets-1.0
- ASWF-Digital-Assets-1.1
- Abstyles
- AdaCore-doc
- Adobe-2006
- Adobe-Display-PostScript
- Adobe-Glyph
- Adobe-Utopia
- Afmparse
- Aladdin
- App-s2p
- Arphic-1999
- Artistic-dist
- Aspell-RU
- BSD-1-Clause
- BSD-2-Clause-Darwin
- BSD-2-Clause-Patent
- BSD-2-Clause-Views
- BSD-2-Clause-first-lines
- BSD-2-Clause-pkgconf-disclaimer
- BSD-3-Clause-HP
- BSD-3-Clause-Modification
- BSD-3-Clause-No-Military-License
- BSD-3-Clause-No-Nuclear-License
- BSD-3-Clause-No-Nuclear-License-2014
- BSD-3-Clause-No-Nuclear-Warranty
- BSD-3-Clause-Open-MPI
- BSD-3-Clause-Sun
- BSD-3-Clause-acpica
- BSD-3-Clause-flex
- BSD-4-Clause-Shortened
- BSD-4.3RENO
- BSD-4.3TAHOE
- BSD-Advertising-Acknowledgement
- BSD-Attribution-HPND-disclaimer
- BSD-Inferno-Nettverk
- BSD-Source-Code
- BSD-Source-beginning-file
- BSD-Systemics
- BSD-Systemics-W3Works
- BUSL-1.1
- Baekmuk
- Bahyph
- Barr
- Beerware
- BitTorrent-1.0
- BitTorrent-1.1
- Bitstream-Charter
- Bitstream-Vera
- BlueOak-1.0.0
- Boehm-GC
- Boehm-GC-without-fee
- Borceux
- Brian-Gladman-2-Clause
- Brian-Gladman-3-Clause
- C-UDA-1.0
- CAL-1.0
- CAL-1.0-Combined-Work-Exception
- CATOSL-1.1
- CC-BY-2.5-AU
- CC-BY-3.0-AT
- CC-BY-3.0-AU
- CC-BY-3.0-DE
- CC-BY-3.0-IGO
- CC-BY-3.0-NL
- CC-BY-3.0-US
- CC-BY-NC-3.0-DE
- CC-BY-NC-ND-3.0-DE
- CC-BY-NC-ND-3.0-IGO
- CC-BY-NC-SA-2.0-DE
- CC-BY-NC-SA-2.0-FR
- CC-BY-NC-SA-2.0-UK
- CC-BY-NC-SA-3.0-DE
- CC-BY-NC-SA-3.0-IGO
- CC-BY-ND-3.0-DE
- CC-BY-SA-2.0-UK
- CC-BY-SA-2.1-JP
- CC-BY-SA-3.0-AT
- CC-BY-SA-3.0-DE
- CC-BY-SA-3.0-IGO
- CC-PDDC
- CC-PDM-1.0
- CC-SA-1.0
- CDL-1.0
- CDLA-Permissive-1.0
- CDLA-Permissive-2.0
- CDLA-Sharing-1.0
- CECILL-1.0
- CECILL-1.1
- CECILL-2.0
- CECILL-2.1
- CECILL-B
- CECILL-C
- CERN-OHL-1.1
- CERN-OHL-1.2
- CERN-OHL-P-2.0
- CERN-OHL-S-2.0
- CERN-OHL-W-2.0
- CFITSIO
- CMU-Mach
- CMU-Mach-nodoc
- CNRI-Jython
- CNRI-Python
- CNRI-Python-GPL-Compatible
- COIL-1.0
- CPAL-1.0
- CPOL-1.02
- CUA-OPL-1.0
- Caldera
- Caldera-no-preamble
- Catharon
- ClArtistic
- Clips
- Community-Spec-1.0
- Condor-1.1
- Cornell-Lossless-JPEG
- Cronyx
- Crossword
- CryptoSwift
- CrystalStacker
- Cube
- D-FSL-1.0
- DEC-3-Clause
- DL-DE-BY-2.0
- DL-DE-ZERO-2.0
- DOC
- DRL-1.0
- DRL-1.1
- DSDP
- DocBook-DTD
- DocBook-Schema
- DocBook-Stylesheet
- DocBook-XML
- Dotseqn
- ECL-1.0
- ECL-2.0
- EFL-1.0
- EFL-2.0
- EPICS
- EUDatagrid
- EUPL-1.0
- EUPL-1.1
- EUPL-1.2
- Elastic-2.0
- Entessa
- ErlPL-1.1
- Eurosym
- FBM
- FDK-AAC
- FSFAP
- FSFAP-no-warranty-disclaimer
- FSFUL
- FSFULLR
- FSFULLRSD
- FSFULLRWD
- FSL-1.1-ALv2
- FSL-1.1-MIT
- Fair
- Ferguson-Twofish
- Frameworx-1.0
- FreeBSD-DOC
- Furuseth
- GCR-docs
- GD
- GFDL-1.1
- GFDL-1.2
- GFDL-1.3
- GL2PS
- GLWTPL
- GPL-1.0+
- GPL-2.0+
- GPL-3.0+
- Game-Programming-Gems
- Giftware
- Glide
- Glulxe
- Graphics-Gems
- Gutmann
- HDF5
- HIDAPI
- HP-1986
- HP-1989
- HPND
- HPND-DEC
- HPND-Fenneberg-Livingston
- HPND-INRIA-IMAG
- HPND-Intel
- HPND-Kevlin-Henney
- HPND-MIT-disclaimer
- HPND-Markus-Kuhn
- HPND-Netrek
- HPND-Pbmplus
- HPND-UC
- HPND-UC-export-US
- HPND-doc
- HPND-doc-sell
- HPND-export-US
- HPND-export-US-acknowledgement
- HPND-export-US-modify
- HPND-export2-US
- HPND-merchantability-variant
- HPND-sell-MIT-disclaimer-xserver
- HPND-sell-regexpr
- HPND-sell-variant
- HPND-sell-variant-MIT-disclaimer
- HPND-sell-variant-MIT-disclaimer-rev
- HTMLTIDY
- HaskellReport
- Hippocratic-2.1
- IBM-pibs
- ICU
- IEC-Code-Components-EULA
- IJG
- IJG-short
- IPA
- ISC-Veillard
- Imlib2
- Info-ZIP
- Inner-Net-2.0
- InnoSetup
- Intel
- Intel-ACPI
- Interbase-1.0
- JPL-image
- JPNIC
- JSON
- Jam
- JasPer-2.0
- Kastrup
- Kazlib
- Knuth-CTAN
- LAL-1.2
- LAL-1.3
- LGPL-2.0+
- LGPL-2.1+
- LGPL-3.0+
- LGPLLR
- LOOP
- LPD-document
- LPPL-1.0
- LPPL-1.1
- LPPL-1.2
- LPPL-1.3a
- LPPL-1.3c
- LZMA-SDK-9.11-to-9.20
- LZMA-SDK-9.22
- Latex2e
- Latex2e-translated-notice
- Leptonica
- LiLiQ-P-1.1
- LiLiQ-R-1.1
- LiLiQ-Rplus-1.1
- Linux-man-pages-1-para
- Linux-man-pages-copyleft
- Linux-man-pages-copyleft-2-para
- Linux-man-pages-copyleft-var
- Lucida-Bitmap-Fonts
- MIPS
- MIT-0
- MIT-CMU
- MIT-Click
- MIT-Festival
- MIT-Khronos-old
- MIT-Modern-Variant
- MIT-Wu
- MIT-advertising
- MIT-enna
- MIT-feh
- MIT-open-group
- MIT-testregex
- MITNFA
- MMIXware
- MPEG-SSG
- MPL-2.0-no-copyleft-exception
- MS-LPL
- MS-RL
- MTLL
- Mackerras-3-Clause
- Mackerras-3-Clause-acknowledgment
- MakeIndex
- Martin-Birgmeier
- McPhee-slideshow
- Minpack
- MirOS
- Motosoto
- MulanPSL-1.0
- MulanPSL-2.0
- Multics
- Mup
- NAIST-2003
- NASA-1.3
- NBPL-1.0
- NCBI-PD
- NCGL-UK-2.0
- NCL
- NGPL
- NICTA-1.0
- NIST-PD
- NIST-PD-fallback
- NIST-Software
- NLOD-1.0
- NLOD-2.0
- NLPL
- NOSL
- NPOSL-3.0
- NRL
- NTIA-PD
- NTP
- NTP-0
- Naumen
- Net-SNMP
- NetCDF
- Newsletr
- Nokia
- Noweb
- Nunit
- O-UDA-1.0
- OAR
- OCCT-PL
- OCLC-2.0
- ODC-By-1.0
- ODbL-1.0
- OFFIS
- OFL-1.0
- OFL-1.0-RFN
- OFL-1.0-no-RFN
- OFL-1.1
- OFL-1.1-RFN
- OFL-1.1-no-RFN
- OGC-1.0
- OGDL-Taiwan-1.0
- OGL-Canada-2.0
- OGL-UK-1.0
- OGL-UK-2.0
- OGL-UK-3.0
- OGTSL
- OLDAP-1.1
- OLDAP-1.2
- OLDAP-1.3
- OLDAP-1.4
- OLDAP-2.0
- OLDAP-2.0.1
- OLDAP-2.1
- OLDAP-2.2
- OLDAP-2.2.1
- OLDAP-2.2.2
- OLDAP-2.3
- OLDAP-2.4
- OLDAP-2.5
- OLDAP-2.6
- OLDAP-2.7
- OLDAP-2.8
- OLFL-1.3
- OML
- OPL-1.0
- OPL-UK-3.0
- OPUBL-1.0
- OSET-PL-2.1
- OpenPBS-2.3
- OpenSSL-standalone
- OpenVision
- PADL
- PDDL-1.0
- PPL
- PSF-2.0
- Parity-6.0.0
- Parity-7.0.0
- Pixar
- Plexus
- PolyForm-Noncommercial-1.0.0
- PolyForm-Small-Business-1.0.0
- Python-2.0.1
- QPL-1.0-INRIA-2004
- Qhull
- RHeCos-1.1
- RPL-1.1
- RPL-1.5
- RPSL-1.0
- RSA-MD
- RSCPL
- Rdisc
- Ruby-pty
- SAX-PD
- SAX-PD-2.0
- SCEA
- SGI-OpenGL
- SGP4
- SHL-0.5
- SHL-0.51
- SISSL
- SISSL-1.2
- SL
- SMAIL-GPL
- SMLNJ
- SMPPL
- SNIA
- SOFA
- SPL-1.0
- SSH-OpenSSH
- SSH-short
- SSLeay-standalone
- SSPL-1.0
- SUL-1.0
- SWL
- Saxpath
- SchemeReport
- Sendmail
- Sendmail-8.23
- Sendmail-Open-Source-1.1
- SimPL-2.0
- Soundex
- Spencer-86
- Spencer-94
- Spencer-99
- StandardML-NJ
- SugarCRM-1.1.3
- Sun-PPP
- Sun-PPP-2000
- SunPro
- Symlinks
- TAPR-OHL-1.0
- TCL
- TCP-wrappers
- TGPPL-1.0
- TMate
- TORQUE-1.1
- TOSL
- TPDL
- TPL-1.0
- TTWL
- TTYP0
- TU-Berlin-1.0
- TU-Berlin-2.0
- TermReadKey
- ThirdEye
- TrustedQSL
- UCAR
- UCL-1.0
- UMich-Merit
- URT-RLE
- Ubuntu-font-1.0
- Unicode-3.0
- UnixCrypt
- Unlicense-libtelnet
- Unlicense-libwhirlpool
- VOSTROM
- VSL-1.0
- Vim
- Watcom-1.0
- Widget-Workshop
- Wsuipa
- X11-distribute-modifications-variant
- X11-swapped
- XFree86-1.1
- XSkat
- Xdebug-1.03
- Xerox
- Xfig
- YPL-1.0
- YPL-1.1
- Zed
- Zeeff
- Zimbra-1.3
- Zimbra-1.4
- any-OSI
- any-OSI-perl-modules
- bcrypt-Solar-Designer
- blessing
- bzip2-1.0.5
- bzip2-1.0.6
- check-cvs
- checkmk
- copyleft-next-0.3.0
- copyleft-next-0.3.1
- curl
- cve-tou
- diffmark
- dtoa
- dvipdfm
- eCos-2.0
- eGenix
- etalab-2.0
- fwlw
- gSOAP-1.3b
- generic-xts
- gnuplot
- gtkbook
- hdparm
- iMatix
- jove
- libpng-1.6.35
- libpng-2.0
- libselinux-1.0
- libtiff
- libutil-David-Nugent
- lsof
- magaz
- mailprio
- man2html
- metamail
- mpi-permissive
- mpich2
- mplus
- ngrep
- pkgconf
- pnmstitch
- psfrag
- psutils
- python-ldap
- radvd
- snprintf
- softSurfer
- ssh-keyscan
- swrule
- threeparttable
- ulem
- w3m
- wwl
- wxWindows
- xinetd
- xkeyboard-config-Zinoviev
- xlock
- xpp
- xzoom
That’s why Trivy incorrectly uses the name field for some SPDX license IDs.
See the example: #9042 (comment)