Allow logical OR separated licenses to be whitelisted #205
Description
What would you like to be added:
Currently, there is no possibility to chose one license over another if multiple licenses are supplied via SBOM.
There should be a mode where you can allow any package which has a whitelisted license, disregarding blacklisted licenses of the same package.
Example:
Snippet from cyclonedx SBOM
"licenses": [
{
"license": {
"id": "EPL-2.0"
}
},
{
"license": {
"id": "GPL-2.0-with-classpath-exception"
}
}
],Or similar in this other package of the same SBOM with an OR expression
"licenses": [
{
"expression": "MIT OR Apache-2.0 OR LGPL-2.1-or-later"
}
],
grant.yaml
rules:
- pattern: "EPL-*"
name: "EPL"
mode: "allow"
reason: "EPL is compatible with our project"
- pattern: "*"
name: "reject everything else"
mode: "deny"
reason: "All licenses need to be explicitly allowed"Why is this needed:
Some packages have an OR in there license and I would like to pick the one suited to my needs without whitelisting the other license or excluding the package manually.