Expose a rules_license PackageInfo from imported dependencies
#2054
Comments
|
I've been keeping an eye on this too. It will likely be easier for Python when Licensing is standardized in PEP 639. It will support SPDX expressions as part of Core Metadata 2.4 |
|
+1 for this getting added to rules_python. If anyone wants to take a stab at it, I can answer questions about pip machinery and help in this way. |
|
Assuming we had the license information, does this boil down to adding |
|
And being able to determine which license is appropriate from package metadata -- I think so. Was thinking about whether this would be a useful addition a bit back and the only constraint I can think of is |
|
Yeah, +1 to the overall feature. It should be easy to add the loads for rules_license. From what groodt said, it sounds like hard part will be getting the license info from whatever artifact was downloaded from pypi? |
Yes. It's quite messy at the moment. You can grab some license info but it's messy and all over the place. From the PEP. """ As a result, on average, Python packages tend to have more ambiguous and missing license information than other common ecosystems. As is typical for Python, due to it's age, a lot of it is messier than some of the other language ecosystems. I think the PEP is going to be accepted though. |
|
This request is the for |
|
Ah, got it. Is there an example from other rules? My understanding of purl spec is that you can easily build it from the discrete components. pkg:pypi/[email protected] https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst It's unclear to me what should happen if a mirror or local/fork of a package is used instead of a canonical package from pypi for example. |
|
The I plan on adding this to |
|
Is the prefix for python packages always It seems the only necessary metadata to be added here are name and version? Is py_library the appropriate place for the metadata? Does it only apply to dependencies fetched from an index? What about vendored libraries? |
I don't think so. From what I understand, the way the license stuff works is you specify a package-level value, e.g. [1] Though I swear I thought they changed this name to something like "default_metadata" or something |
|
When constructing an SBOM, having the You can use a add additional information to a purl to specify things like the |
pip_parseallows us to import third party dependencies, but the imports lack enough information for us to generate an SBOM. It would be useful if targets imported from third party python deps were annotated with aPackageInfofromrules_license(notably, thepurlis incredibly useful for generating CycloneDX format SBOMs).While it might be possible to add this information in a custom way, adopting
rules_licenseallows SBOMs to be generated without adding special logic to each ruleset.The text was updated successfully, but these errors were encountered: