Ignore license by package name

[kanton10062006]

Description

Hello,

It would be nice if you added the ability to ignore some particular packages within package.json during license scanning.
The main reason for this is that for now, it is possible to ignore the entire license using the License ID which is not as flexible as I hoped.
For example - I bought a license for some particular package and would like to ignore it within my checks rather than ignoring the entire license at all.

Something like this:

licenses:
  - id: MIT
    package: react-dom

Thanks

Target

Filesystem

Scanner

License

[kanton10062006]

I found this similar thread related to the license scanner which was closed with the most recent trivy release- #6118
But as I can see in PR it was added only for vulnerabilities - #6178

Any plans to add it to the license scanner which was originally requested?

Apart from that why it was decided to use PURLs?
For example, if I have such findings, how can I know the PURL of the internmap package?
It does not seem to me as user-friendly...

├──────────────────────────────────────────┼────────────────────────┼────────────────┼──────────┤
│ d3-array                                 │ ISC                    │ Notice         │ LOW      │
├──────────────────────────────────────────┤                        │                │          │
│ d3-color                                 │                        │                │          │
├──────────────────────────────────────────┼────────────────────────┤                │          │
│ d3-ease                                  │ BSD-3-Clause           │                │          │
├──────────────────────────────────────────┼────────────────────────┤                │          │
│ d3-format                                │ ISC                    │                │          │
├──────────────────────────────────────────┤                        │                │          │
│ d3-interpolate                           │                        │                │          │
├──────────────────────────────────────────┤                        │                │          │
│ d3-path                                  │                        │                │          │
├──────────────────────────────────────────┤                        │                │          │
│ d3-scale                                 │                        │                │          │
├──────────────────────────────────────────┤                        │                │          │
│ d3-shape                                 │                        │                │          │
├──────────────────────────────────────────┤                        │                │          │
│ d3-time                                  │                        │                │          │
├──────────────────────────────────────────┤                        │                │          │
│ d3-time-format                           │                        │                │          │
├──────────────────────────────────────────┤                        │                │          │
│ d3-timer                                 │                        │                │          │
├──────────────────────────────────────────┼────────────────────────┤                │          │
│ hoist-non-react-statics                  │ BSD-3-Clause           │                │          │
├──────────────────────────────────────────┼────────────────────────┤                │          │
│ internmap                                │ ISC                    │                │          │
├──────────────────────────────────────────┼────────────────────────┤                │          │
│ qs                                       │ BSD-3-Clause           │                │          │
├──────────────────────────────────────────┤                        │                │          │
│ react-transition-group                   │                        │                │          │
│                                          │                        │                │          │
│                                          │                        │                │          │
├──────────────────────────────────────────┤                        │                │          │
│ source-map                               │                        │                │          │
├──────────────────────────────────────────┼────────────────────────┼────────────────┤          │
│ tslib                                    │ 0BSD                   │ Unencumbered   │          │

Thanks and looking forward to some reply

[kanton10062006]

A rego policy looks like a workaround - https://github.com/aquasecurity/trivy/pull/6004/files

[tstraley]

I am also interested in this request.

When using trivy to help monitor and report on license usage in a product, occasionally there may be a restricted license that gets flagged as a HIGH severity, but then after review and evaluation of the specific package it is deemed as acceptable for use within the product.

In such cases, it would be nice to be able to ignore / suppress / lower the severity of that specific package, while not ignoring all packages using that specific license.

Today, trivy supports using --ignored-licenses, or putting specific licenses in the .trivyignore.yaml, but those would suppress all findings for that license ID. Trivy also supports custom classification of licenses, but again, that would change the classification for all packages using a particular license, rather than being able to manually mark one specific package as approved for use despite it's severity/classification.

Bonus request:
With any configuration for ignoring / suppressing license scan results (whether by license ID or by package), it would be great to be able to use the recent --show-suppressed flag to be able to show those packages / licenses as ignored, rather that removing them completely from the results.

[nikpivkin]

Hi @kanton10062006 !

You are right, you can use Rego to filter licenses. Using Rego will allow you the flexibility to customize the filtering.

/cc @tstraley