gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-12 15:50:15 -08:00
Code Issues Packages Projects Releases Wiki Activity

feat(license): use separate SPDX ids to ignore SPDX expressions (#9087)

Browse Source 
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
This commit is contained in:
Yuta Tokoi
2025-11-01 19:31:59 +11:00
committed by GitHub
parent 18c0ee86f3
commit 012f3d7535
6 changed files with 133 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
docs/docs/configuration/filtering.md
View File

@@ -280,8 +280,7 @@ Trivy supports the [.trivyignore](#trivyignore) and [.trivyignore.yaml](#trivyig
| Vulnerability | ✓ |
| Misconfiguration | ✓ |
| Secret | ✓ |
| License | |
| License | |
```bash
$ cat .trivyignore
@@ -300,6 +299,10 @@ AVD-DS-0002
# Ignore secrets
generic-unwanted-rule
aws-account-id
# Ignore licenses
GPL-3.0
Apache-2.0 WITH LLVM-exception
```
```bash
@@ -324,7 +327,7 @@ Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
#### .trivyignore.yaml
| Scanner | Supported |
|:----------------:|:---------:|
| :--------------: | :-------: |
| Vulnerability | ✓ |
| Misconfiguration | ✓ |
| Secret | ✓ |
@@ -378,8 +381,24 @@ licenses:
- id: GPL-3.0 # License name is used as ID
paths:
- "usr/share/gcc/python/libstdcxx/v6/__init__.py"
- id: MIT AND GPL-2.0-or-later # Compound license expressions are supported
- id: Apache-2.0 WITH LLVM-exception # License expressions with exceptions are supported
- id: LLVM-exception # Individual license components or exceptions can be ignored
```
!!! info "Enhanced License Expression Support"
Trivy supports filtering complex SPDX license expressions including:
- **Compound expressions** with AND/OR operators: `MIT AND GPL-2.0-or-later`
- **License exceptions** with WITH operator: `Apache-2.0 WITH LLVM-exception`
- **Individual components**: You can ignore specific license components or exceptions from compound expressions
When filtering compound expressions:
- **AND/OR expressions**: All individual license components must be explicitly ignored for the entire expression to be ignored
- **WITH expressions**: License expressions with exceptions are treated as single entities and can be ignored as a whole
- **Component matching**: You can also ignore individual license names or exception names to filter specific parts of compound expressions
Since this feature is experimental, you must explicitly specify the YAML file path using the `--ignorefile` flag.
Once this functionality is stable, the YAML file will be loaded automatically.