mirror of
https://gitee.com/mirrors_PX4/PX4-Autopilot.git
synced 2026-04-14 10:07:39 +08:00
685f9248e4
Three issues caused the monthly audit to report already-resolved submodules: 1. The audit workflow grepped for "NOASSERTION" anywhere in the output, matching the Detected column even when the Final column had a valid override (e.g. libtomcrypt detected as NOASSERTION but overridden to Unlicense). Changed to grep for "<-- UNRESOLVED" marker instead. 2. Submodules with an explicit NOASSERTION override in license-overrides.yaml (like libfc-sensor-api, which is proprietary) were still counted as failures. Now treated as "acknowledged" since someone intentionally added the override entry. 3. Added missing BSD-3-Clause override for sitl_gazebo-classic (PX4 org project with no LICENSE file in repo). Fixes #26932 Signed-off-by: Ramon Roche <mrpollo@gmail.com>
63 lines
2.1 KiB
YAML
63 lines
2.1 KiB
YAML
# SPDX license overrides for submodules where auto-detection fails or is wrong.
|
|
# Each entry maps a submodule path to its SPDX license identifier and an
|
|
# optional comment explaining why the override exists.
|
|
#
|
|
# Run `python3 Tools/ci/generate_sbom.py --verify-licenses` to validate.
|
|
|
|
overrides:
|
|
src/modules/mavlink/mavlink:
|
|
license: "LGPL-3.0-only AND MIT"
|
|
comment: "Generator is LGPL-3.0; PX4 ships only MIT-licensed generated headers."
|
|
|
|
Tools/simulation/gazebo-classic/sitl_gazebo-classic:
|
|
license: "BSD-3-Clause"
|
|
comment: >-
|
|
PX4 org project. No LICENSE file in repo; source files carry
|
|
BSD-3-Clause headers consistent with the PX4 project license.
|
|
|
|
src/lib/cdrstream/cyclonedds:
|
|
license: "EPL-2.0 OR BSD-3-Clause"
|
|
comment: >-
|
|
Dual-licensed. PX4 elects BSD-3-Clause.
|
|
No board currently enables CONFIG_LIB_CDRSTREAM.
|
|
|
|
src/lib/cdrstream/rosidl:
|
|
license: "Apache-2.0"
|
|
|
|
src/lib/crypto/monocypher:
|
|
license: "BSD-2-Clause OR CC0-1.0"
|
|
comment: >-
|
|
Dual-licensed. LICENCE.md offers BSD-2-Clause with CC0-1.0 as
|
|
public domain fallback.
|
|
|
|
src/lib/crypto/libtomcrypt:
|
|
license: "Unlicense"
|
|
comment: "Public domain dedication. Functionally equivalent to Unlicense."
|
|
|
|
src/lib/crypto/libtommath:
|
|
license: "Unlicense"
|
|
comment: "Public domain dedication. Functionally equivalent to Unlicense."
|
|
|
|
platforms/nuttx/NuttX/nuttx:
|
|
license: "Apache-2.0"
|
|
comment: >-
|
|
Composite LICENSE (6652 lines) includes BSD/MIT/ISC sub-components.
|
|
Primary license is Apache-2.0. NOTICE file contains FAT LFN patent warnings.
|
|
|
|
platforms/nuttx/NuttX/apps:
|
|
license: "Apache-2.0"
|
|
|
|
boards/modalai/voxl2/libfc-sensor-api:
|
|
license: "NOASSERTION"
|
|
comment: >-
|
|
No LICENSE file in repo. README describes it as public interface
|
|
for proprietary sensor library.
|
|
|
|
boards/modalai/voxl2/src/lib/mpa/libmodal-json:
|
|
license: "LGPL-3.0-only"
|
|
comment: "LGPL-3.0 weak copyleft. Used via header includes in VOXL2 mpa library."
|
|
|
|
boards/modalai/voxl2/src/lib/mpa/libmodal-pipe:
|
|
license: "LGPL-3.0-only"
|
|
comment: "LGPL-3.0 weak copyleft. Used via header includes in VOXL2 mpa library."
|