License should be marked as violated only in case there is no other allowed license

[shahar-h]

When scanning a package which declares more than one license (e.g. go-metrics which declares both Apache-2.0 and CC-BY-SA-4.0 licenses), a license should be marked as violated only in case there is no other allowed license. Currently when scanning the above package for license violations (osv-scanner --experimental-licenses="Apache-2.0") a license violation appears for above package although it also declares Apache-2.0 license which is in our allow list.

In case you agree that this is a bug I can contribute a fix.

[shahar-h]

I made some thinking and I'm not sure deps.dev can tell the difference between choice-of-license(when you can choose which license to comply) and multi-license(when you need to comply both licenses). Any idea?

[oliverchang]

CC @josieang who is from deps.dev and contributed this feature.

[sarnesjo]

Hi @shahar-h, deps.dev developer here.

There are two ecosystems for which deps.dev serves multiple licenses for a single package version when available: Go and Maven. For Maven, it is usually (but not always!) the case that multiple licenses should be joined with an implicit "OR" (this is the documented meaning, but in practice it's clear that this isn't universally accepted). For Go, multiple licenses should usually (but–again–not always!) be joined with an implicit "AND". Because we don't want to make guesses about licensing, we err on the side of caution and simply present multiple licenses as a list, for the user to interpret or investigate further if needed. Do note that, for all systems, the package author could (and should!) use an SPDX expression like Apache-2.0 AND CC-BY-SA-4.0 or Apache-2.0 OR CC-BY-SA-4.0, which would be unambiguous (and deps.dev would serve).

For more information about how deps.dev determines licenses, please see our FAQ.

[shahar-h]

Thank you!