Support ABOUT files for code that is patched or vendored #740
Description
We should likely consider ABOUT files as "curations" for packages and they may likely override other scans/manifest data collection.
Here is a design:
Using ABOUT file for overries and curations
Say I have reviewed and curated the origin and license of this JAR
https://repo1.maven.org/maven2/log4j/log4j/1.2.13/log4j-1.2.13.jar
This is stored in an ABOUT file and license file this way, side by side:
- apache-2.0.LICENSE
- log4j.NOTICE
- log4j-1.2.13.jar.ABOUT
The ABOUT file has this content:
about_resource: log4j-1.2.13.jar
name: log4j
version: 1.2.13
download_url: https://repo1.maven.org/maven2/log4j/log4j/1.2.13/log4j-1.2.13.jar
package_url: pkg:maven/log4j/[email protected]
license_expression: apache-2.0
notice_file: log4j.NOTICE
licenses:
- key: apache-2.0
name: Apache License 2.0
file: apache-2.0.LICENSE
These could live anywhere in the codebase inputs, typically in the FROM in a d2d pipeline for a start, but they could be in the TO or added as an extra input.
I would like that:
- the package with this ABOUT file is added to the project packages
- any "log4j-1.2.13.jar" present in the "TO" side in a d2d is mapped to this ABOUT file and being for this package (including any extracts)
- no more matching, mapping or scanning should take place and the involved should be marked with a ststus that tells they have been processed
Metadata
Metadata
Assignees
Labels
No labels