fly316/PX4-Autopilot
7
0
Fork 0
mirror of https://gitee.com/mirrors_PX4/PX4-Autopilot.git synced 2026-04-14 10:07:39 +08:00
Code Issues Packages Projects Releases Wiki Activity
PX4-Autopilot/Tools/ci/license-overrides.yaml
Ramon Roche 685f9248e4 fix(sbom): fix false positives in monthly license audit 
Three issues caused the monthly audit to report already-resolved submodules:

1. The audit workflow grepped for "NOASSERTION" anywhere in the output,
   matching the Detected column even when the Final column had a valid
   override (e.g. libtomcrypt detected as NOASSERTION but overridden to
   Unlicense). Changed to grep for "<-- UNRESOLVED" marker instead.

2. Submodules with an explicit NOASSERTION override in license-overrides.yaml
   (like libfc-sensor-api, which is proprietary) were still counted as
   failures. Now treated as "acknowledged" since someone intentionally
   added the override entry.

3. Added missing BSD-3-Clause override for sitl_gazebo-classic (PX4 org
   project with no LICENSE file in repo).

Fixes #26932

Signed-off-by: Ramon Roche <mrpollo@gmail.com>
2026-04-02 11:15:30 -06:00

63 lines
2.1 KiB
YAML
Raw Permalink Blame History

# SPDX license overrides for submodules where auto-detection fails or is wrong.
# Each entry maps a submodule path to its SPDX license identifier and an
# optional comment explaining why the override exists.
#
# Run `python3 Tools/ci/generate_sbom.py --verify-licenses` to validate.
overrides:
src/modules/mavlink/mavlink:
license: "LGPL-3.0-only AND MIT"
comment: "Generator is LGPL-3.0; PX4 ships only MIT-licensed generated headers."
Tools/simulation/gazebo-classic/sitl_gazebo-classic:
license: "BSD-3-Clause"
comment: >-
PX4 org project. No LICENSE file in repo; source files carry
BSD-3-Clause headers consistent with the PX4 project license.
src/lib/cdrstream/cyclonedds:
license: "EPL-2.0 OR BSD-3-Clause"
comment: >-
Dual-licensed. PX4 elects BSD-3-Clause.
No board currently enables CONFIG_LIB_CDRSTREAM.
src/lib/cdrstream/rosidl:
license: "Apache-2.0"
src/lib/crypto/monocypher:
license: "BSD-2-Clause OR CC0-1.0"
comment: >-
Dual-licensed. LICENCE.md offers BSD-2-Clause with CC0-1.0 as
public domain fallback.
src/lib/crypto/libtomcrypt:
license: "Unlicense"
comment: "Public domain dedication. Functionally equivalent to Unlicense."
src/lib/crypto/libtommath:
license: "Unlicense"
comment: "Public domain dedication. Functionally equivalent to Unlicense."
platforms/nuttx/NuttX/nuttx:
license: "Apache-2.0"
comment: >-
Composite LICENSE (6652 lines) includes BSD/MIT/ISC sub-components.
Primary license is Apache-2.0. NOTICE file contains FAT LFN patent warnings.
platforms/nuttx/NuttX/apps:
license: "Apache-2.0"
boards/modalai/voxl2/libfc-sensor-api:
license: "NOASSERTION"
comment: >-
No LICENSE file in repo. README describes it as public interface
for proprietary sensor library.
boards/modalai/voxl2/src/lib/mpa/libmodal-json:
license: "LGPL-3.0-only"
comment: "LGPL-3.0 weak copyleft. Used via header includes in VOXL2 mpa library."
boards/modalai/voxl2/src/lib/mpa/libmodal-pipe:
license: "LGPL-3.0-only"
comment: "LGPL-3.0 weak copyleft. Used via header includes in VOXL2 mpa library."
Reference in New Issue View Git Blame Copy Permalink