Build licenses.txt with trivy

[silverwind]

Use trivy to generate licenses.txt at build time. This removes the generated content in the repo and completely moves the file generation to build time, ran right before webpack. On my machine, this generation currently takes 2.7s.

The new output format is SPDX, which brings the benefit that it is machine-parseable while still being human-readable. The format does not include the verbatim license text, but imho that is also not needed because most dependencies license can be classified.

Fixes: #33749

Example output format

SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: .
DocumentNamespace: http://trivy.dev/filesystem/.-1cb0ecbc-e763-4f82-add5-7f5fd2ea8668
Creator: Organization: aquasecurity
Creator: Tool: trivy-dev
Created: 2025-10-14T14:37:15Z

##### Package: uv.lock

PackageName: uv.lock
SPDXID: SPDXRef-Application-3bc52fafdd5c33c7
PackageDownloadLocation: NONE
PrimaryPackagePurpose: APPLICATION
FilesAnalyzed: false

##### Package: pnpm-lock.yaml

PackageName: pnpm-lock.yaml
SPDXID: SPDXRef-Application-4dd11b331f6f1923
PackageDownloadLocation: NONE
PrimaryPackagePurpose: APPLICATION
FilesAnalyzed: false

##### Package: go.mod

PackageName: go.mod
SPDXID: SPDXRef-Application-e90da172ca54b427
PackageDownloadLocation: NONE
PrimaryPackagePurpose: APPLICATION
FilesAnalyzed: false

##### Package: .

PackageName: .
SPDXID: SPDXRef-Filesystem-1465386cfbe4e9c7
PackageDownloadLocation: NONE
PrimaryPackagePurpose: SOURCE
FilesAnalyzed: false

##### Package: @types/d3-time-format

PackageName: @types/d3-time-format
SPDXID: SPDXRef-Package-102e7d815e97b408
PackageVersion: 4.0.3
PackageSupplier: NOASSERTION
PackageDownloadLocation: NONE
PrimaryPackagePurpose: LIBRARY
FilesAnalyzed: false
PackageSourceInfo: package found in: pnpm-lock.yaml
PackageLicenseConcluded: MIT
PackageLicenseDeclared: MIT
ExternalRef: PACKAGE-MANAGER purl pkg:npm/%40types/[email protected]

[silverwind]

I've moved the make target that generates as a dependency of generate-go which is the most accurate place to be because go generate will generate the bindata in which licenses.txt is included. It's certainly better than having it run before webpack because the webpack build does not depend on this file anymore.

[TheFox0x7]

MIT license says:

[...]
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

This doesn't carry either of those so IMO we would not be compliant with MIT license. I haven't reviewed apache-2.0, MPL-2 and whatever else there is apart from BSD0 which has no obligations.

[silverwind]

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

I don't think this applies to someone using software as a dependency, or otherwise 99.9% of software would violate this clause. I think there may be ways to obtain license text out of trivy, but last I checked, this is complicated and error-prone.

[silverwind]

Seems there is some problem with GOEXPERIMENT (related to json v2) when running this tool:

imports encoding/json/jsontext: build constraints exclude all Go files in /opt/hostedtoolcache/go/1.25.1/x64/src/encoding/json/jsontext

[silverwind]

I don't know what is up with GOEXPERIMENT and why we unset it in the actions workflow files, but I don't want to deal with this now, so I've moved the generation back to the frontend targets.

[silverwind]

This doesn't carry either of those so IMO we would not be compliant with MIT license. I haven't reviewed apache-2.0, MPL-2 and whatever else there is apart from BSD0 which has no obligations.

No software in the world packages their dependency's license texts. Not GitHub, not Gitlab, not Forgejo (which has entirely removed the licence.txt file). Why exactly would we have to? I think you should reconsider your stance (and block).

[lunny]

MIT license says:

[...]
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

This doesn't carry either of those so IMO we would not be compliant with MIT license. I haven't reviewed apache-2.0, MPL-2 and whatever else there is apart from BSD0 which has no obligations.

I believe it’s compliant to include the license file only in the binary, as long as the product provides a clear and easily accessible link to it. However, in practice, some license scanners may not automatically detect this information. To address that, we could add a license notice in the repository that explains how to generate the license file.

[silverwind]

I think there may be ways to obtain license text out of trivy, but last I checked, this is complicated and error-prone.

Actually there are no ways to obtain the license text with trivy. There is a Text property in the JSON output, but it's always empty (which might be a bug in trivy).

[TheFox0x7]

See chrome://credits/ and about:license in firefox, ThirdPartyLegalNotices.html in Steam, libreoffice's LICENSE.html as few counter examples I have on hand right now. I'm not saying it's very common to find (unless you're looking for it) but it's a thing that exists.
I'm not implying that web UI has to serve the licenses, but in my understanding the binary has to include this information.

Why exactly would we have to? I think you should reconsider your stance

Because copyright and licensing? The fact that many applications skip this doesn't mean it is compliant with license or right.
If you have an argument as to why line PackageLicenseConcluded: {SPDX-Id} is compliant with obligation from {SPDX-Id} license and it's true for any {SPDX-Id} that is in the file, I'll be glad to hear it.

[silverwind]

The outputting of licence text was always purely voluntarely from Gitea's side, there was never any hard requirement for it. If there is a way to do it with trivy, I would add it, but sadly, this is not supported currently.

[TheFox0x7]

To be clear on this, I approve this as well once I'll be certain or convinced it's compliant with the obligation from licenses or at the very least not a regression in this area.

The outputting of licence text was always purely voluntarely from Gitea's side, there was never any hard requirement for it.

I understand it as outputting to the end user through frontend, which is true. However there is a hard requirement for carrying it in general.

SPDX does have fields for copyright and license text from what I see and SBOM with those filled would IMO meet all of obligations from licenses. Sadly trivy does not fill those out.

Deduped list of obligations looks as follows (omitting dual licensed ones because it's just a OR/AND on two from the list)

Taken mostly from reading the obligations from the license text and skimming https://tldrlegal.com

• Apache-2.0 - copy of license (and copyright but in source code)
• BSD-0-Clause - none
• BSD-2-Clause - copyright and license
• BSD-3-Clause - copyright and license
• BlueOak-1.0.0 - copy of the license
• CC-BY-3.0 - copyright and link to license
• CC-BY-4.0 - copyright and link to license
• CC0-1.0 - none that apply
• CPAL-1.0 - obviously we pick CPAL, which I honestly got lost reading and trying to find how it's applicable.
• ISC - copyright and license are required
• MIT - copyright and license are required
• MPL-2.0 - copyright and license are required as well as link to upstream
• Python-2.0 - copyright and license are required, it's a dependency so we're not required to list changes (it's also debatable if we distribute it)
• Unlicense - no obligations
• ~-XZ~~ bad detection, it's public domain - no obligations

[silverwind]

One thing I may change is the format, because SPDX is too verbose imho for something that's only meant to be read by end users effectively. I think a simple table-like view would also suffice and be much more concise. Like for example:

-----------------------------------------------------
Package                 | Version   | License
-----------------------------------------------------
depname1                | 1.2.3     | MIT 
depname2                | 2.3.4     | BSD-3-clause

[TheFox0x7]

I have double checked my understanding of obligations from MIT, BSD3 and ISC licenses and it's a hard NACK from compliance standpoint.
I don't see any scenario where a list of licenses you propose comes remotely close to matching the obligations.

Neither of those proposed formats carry what is required by the license. If anything I was informed that the current format is not sufficient in the first place as it does not meet the obligations from BSD-3-clause (in particular the 2nd clause because we do not distribute it in documentation or other materials provided with the distribution).

MIT license, emphasis mine

Copyright

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

ISC license, emphasis mine

Copyright

Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

BSD-3-Clause license, emphasis mine

Copyright

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.